Vulnerabilities Splunk, Zoom Patch Severe Vulnerabilities Critical- and high-severity flaws could be exploited to execute arbitrary shell commands or elevate privileges. By Ionut Arghire | March 12, 2026 (8:06 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Splunk and Zoom this week announced security updates that resolve multiple critical- and high-severity vulnerabilities across their product portfolios. Zoom has addressed a critical-severity flaw in Workplace for Windows that could allow unauthenticated, remote attackers to elevate their privileges over the network. The issue impacts the Mail feature of the product and was addressed in Workplace for Windows version 6.6.0 and Workplace VDI Client for Windows versions 6.4.17, 6.5.15, and 6.6.10. Additionally, Zoom rolled out patches for three high-severity security defects in certain Zoom Clients for Windows that could be exploited by local attackers to escalate their privileges. Splunk on Wednesday released a fresh round of Splunk Enterprise updates that resolve dozens of issues, including five that are product-specific. The most severe of these bugs is CVE-2026-20163 (CVSS score of 8.0), a high-severity flaw that could be exploited by attackers who already have high privileges on a vulnerable deployment to execute arbitrary shell commands through a REST endpoint. Advertisement. Scroll to continue reading. “This occurs because of insufficient input sanitization when previewing uploaded files before indexing them,” Splunk says. The security defect was addressed in Splunk Enterprise versions 10.2.0, 10.0.4, 9.4.9, and 9.3.10, which also resolve three medium-severity flaws leading to XSS attacks, credential exposure, and sensitive information disclosure. The updates also include fixes for dozens of CVEs in third-party packages used in Splunk Enterprise, including multiple Golang dependencies. A fourth medium-severity issue that could lead to Observability Cloud API access token leakage was resolved in Splunk Enterprise versions 10.2.1 and 10.0.4. Additionally, Splunk rolled out fixes for dozens of other vulnerabilities in third-party packages in Splunk AppDynamics, including multiple critical-severity flaws. Splunk made no mention of any of these security defects being exploited in the wild. Additional information can be found on the company’s security advisories page. Related: Cisco Patches High-Severity IOS XR Vulnerabilities Related: Critical N8n Vulnerabilities Allowed Server Takeover Related: Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities Related: ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Moxa, Mitsubishi Electric Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Scanner Raises $22 Million for AI-Powered Threat Hunting Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities Quantro Security Emerges From Stealth With $2.5 Million in Funding Microsoft Patches 83 Vulnerabilities Adobe Patches 80 Vulnerabilities Across Eight Products SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities Escape Raises $18 Million to Automate Pentesting Recent Ivanti Endpoint Manager Flaw Exploited in Attacks Latest News Cisco Patches High-Severity IOS XR Vulnerabilities Critical N8n Vulnerabilities Allowed Server Takeover Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea Senate Confirms Joshua Rudd to Lead NSA and US Cyber Command MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack Wiz Joins Google Cloud as Landmark Acquisition Closes CISO Conversations: Aimee Cardwell 238,000 Impacted by Bell Ambulance Data Breach Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Business software company Rippling as appointed Adrian Ludwig as CSO. Orca Security has named Rachel Nislick as Chief Marketing Officer. Netskope has appointed Joseph Welsh as leader of US public sector sales. More People On The Move Expert Insights How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email