CVE-2026-20260
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
In Splunk SOAR versions below 8.5.0, an unauthenticated attacker could inject ANSI escape codes into SOAR application log files through specially crafted HTTP request paths. The injection is possible because SOAR does not strip control characters from HTTP request paths before writing them to application logs.
Risk Assessment
An attacker could exploit this vulnerability to inject malicious codes that may be interpreted by a terminal emulator, potentially leading to information disclosure or unauthorized actions by the administrator.
Recommendation
It is recommended to upgrade Splunk SOAR to version 8.5.0 or later to mitigate this vulnerability. Additionally, implementing input validation and filtering mechanisms in the application is advisable.
Original NVD description (English source)
In Splunk SOAR (Security Orchestration, Automation, and Response) versions below 8.5.0, an unauthenticated attacker could inject American National Standards Institute (ANSI) escape codes into SOAR application log files through specially crafted HTTP request paths, which a terminal emulator might interpret when an administrator views the logs.<br><br>The injection is possible because SOAR does not strip control characters from HTTP request paths before writing them to application logs.

