Atlassian, Splunk Patch Critical Vulnerabilities

Splunk patched an OS command injection in AI Toolkit, while Atlassian fixed dozens of flaws in third-party dependencies. The post Atlassian, Splunk Patch Critical Vulnerabilities appeared first on SecurityWeek .

The article reports that Splunk patched a critical OS command injection vulnerability (CVE-2026-20266) in its AI Toolkit that allowed authenticated admins to execute arbitrary operating system commands, and also addressed a related data exfiltration risk from insecure outbound HTTP requests (CVE-2026-20265).[1][2][4] Atlassian simultaneously released a large set of security updates for products like Bamboo, Bitbucket, Confluence, and Jira, mainly fixing critical issues in third-party libraries such as Axios, Apache Tomcat, and Netty across its ecosystem.[1][3] From a CyberSE.AI perspective, these issues highlight AI supply chain risk: vulnerabilities in AI platforms and third-party components can translate directly into unauthorized code execution and data leakage in AI-driven environments, especially where AI agents have elevated access to infrastructure and data. Organizations should treat AI toolkits and their dependencies as high-value software supply chain elements, applying SBOM-driven patch management, strict role-based access control for AI administration, and outbound request governance for AI agents to reduce blast radius and data loss exposure.