CVE-2023-46214

HIGH

Splunk Enterprise <9.0.7-9.1.2 - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-46214. PoCs published by dyeat, nathan, Valentin Lobstein, h00die, including Metasploit module exploits/unix/http/splunk_xslt_authenticated_rce.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-46214, an RCE vulnerability in Splunk. The exploit leverages XSLT file upload and transformation to write a reverse shell script to disk and execute it.

Description

In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.

Exploits (2)

github WORKING POC

by dyeat · pythonpoc

https://github.com/dyeat/cve-reproduction/tree/main/Splunk/Splunk/CVE-2023-46214

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-46214, an RCE vulnerability in Splunk. The exploit leverages XSLT file upload and transformation to write a reverse shell script to disk and execute it.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Splunk

Auth required

Prerequisites: valid Splunk credentials · network access to the target Splunk instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 22, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by nathan, Valentin Lobstein, h00die · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/splunk_xslt_authenticated_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2023-46214, an authenticated RCE vulnerability in Splunk Enterprise versions 9.0.x before 9.0.7 and 9.1.x before 9.1.2. It uploads a malicious XSLT file to trigger arbitrary code execution via the 'runshellscript' functionality.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Splunk Enterprise 9.0.x < 9.0.7, 9.1.x < 9.1.2

Auth required

Prerequisites: Valid Splunk credentials (default: admin:changeme) · Network access to Splunk management port (default: 8000)

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory

https://advisory.splunk.com/advisories/SVD-2023-1104

Vendor Advisory

https://research.splunk.com/application/6cb7e011-55fb-48e3-a98d-164fa854e37e/

Vendor Advisory

https://research.splunk.com/application/a053e6a6-2146-483a-9798-2d43652f3299/

Scores

CVSS v3 8.0

EPSS 0.8786

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-91

Status published

Products (2)

splunk/cloud < 9.1.2308

splunk/splunk 9.0.0 - 9.0.7

Published Nov 16, 2023

Tracked Since Feb 18, 2026