Atlassian and Splunk on Wednesday announced patches for multiple vulnerabilities in their products, including critical-severity flaws.
Splunk resolved a critical issue in AI Toolkit that could allow authenticated attackers with admin roles to execute arbitrary OS commands on the host the Splunk Enterprise instance runs on.
“The vulnerability is possible because of an unsafe shell execution pattern in the btool configuration helper, which constructs OS command strings from dynamic parameters without disabling shell interpretation,” Splunk explains.
Tracked as CVE-2026-20266 (CVSS score of 9.1), the security defect was addressed in Splunk AI Toolkit version 5.7.4. If upgrading is not possible, Splunk recommends uninstalling the AI Toolkit as a mitigation.
The update also addresses CVE-2026-20265, a medium-severity information disclosure bug caused by an insecure default domain allowlist. An attacker holding the admin or power role could cause the AI Toolkit to make outbound HTTP requests to attacker-controlled servers, leading to data exfiltration.
Atlassian published 100 security bulletins that address dozens of security defects across Bamboo Data Center and Server, Bitbucket Data Center and Server, Confluence Data Center and Server, Crowd Data Center and Server, Fisheye/Crucible, Jira Data Center and Server, and Jira Service Management Data Center and Server.
All the weaknesses resolved with the fresh security updates appear to affect third-party dependencies used in Atlassian’s products.
These include critical-severity issues in Axios (CVE-2026-42043, CVE-2026-40175, and CVE-2026-42264), Apache Tomcat (CVE-2026-41293, CVE-2026-43512, CVE-2026-41293, CVE-2026-43515, and CVE-2026-43515), and Netty (CVE-2026-42584).
Users are advised to update to a patched version of the affected Atlassian products as soon as possible.
Related: Critical Command Execution Vulnerability Patched in Cisco ISE
Related: F5 Patches Critical, High-Severity NGINX Vulnerabilities
Related: Microsoft Working on Patch for ‘RoguePlanet’ Zero-Day
Related: 3 Recently Patched Fortinet FortiSandbox Vulnerabilities in Hacker Crosshairs
