vulnerability
Splunk: CVE-2024-36987: Insecure File Upload in the indexing/preview REST endpoint
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:S/C:N/I:P/A:N) | Jul 1, 2024 | Apr 7, 2025 | Oct 31, 2025 |
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
Published
Jul 1, 2024
Added
Apr 7, 2025
Modified
Oct 31, 2025
Description
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the “admin” or “power” Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST endpoint.The vulnerable endpoint is one of several that the Upload Data page in Splunk Web uses to run a “preview” search of the data contained within a file that a user uploads prior to indexing. This process generates a file that a low-privileged user could use to perform the XSLT injection, which could be used to perform downstream exploits.
Solution
splunk-upgrade-latest
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.