module
Authenticated RCE in Splunk (SimpleXML dashboard PDF generation)
| Disclosed | Created |
|---|---|
| Nov 2, 2022 | Jan 21, 2026 |
Disclosed
Nov 2, 2022
Created
Jan 21, 2026
Description
This Metasploit module exploits a Remote Code Execution (RCE) vulnerability in Splunk Enterprise.
An attacker can inject arbitrary Python code into style parameters, such as the fillColor or lineColor of a sparkline element within a Splunk SimpleXML dashboard.
The malicious code is executed when a user triggers the PDF export function for the dashboard.
The affected versions include any release prior to 8.1.12, as well as versions 8.2.0 through 8.2.9 and 9.0.0 through 9.0.2.
An attacker can inject arbitrary Python code into style parameters, such as the fillColor or lineColor of a sparkline element within a Splunk SimpleXML dashboard.
The malicious code is executed when a user triggers the PDF export function for the dashboard.
The affected versions include any release prior to 8.1.12, as well as versions 8.2.0 through 8.2.9 and 9.0.0 through 9.0.2.
Authors
Maksim Rogov
Danylo Dmytriiev
psytester
Danylo Dmytriiev
psytester
Platform
Python
Architectures
python
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.