From 33979b76eb68550529e36c679d5743de6db2320c Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Mon, 15 Jun 2026 11:58:39 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2026-20253 rule --- .../crowdsecurity/vpatch-CVE-2026-20253.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2026-20253.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-20253.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-20253.yaml new file mode 100644 index 00000000000..18634bbe438 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-20253.yaml @@ -0,0 +1,25 @@ +## autogenerated on 2026-06-15 09:58:35 +name: crowdsecurity/vpatch-CVE-2026-20253 +description: 'Detects unauthenticated file upload/truncation via Splunk PostgreSQL sidecar backup endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: /splunkd/__raw/v1/postgres/recovery/backup + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Splunk - Unrestricted File Upload' + classification: + - cve.CVE-2026-20253 + - attack.T1190 + - cwe.CWE-434 From 6570a669e7afaa1a0116263cb2d30a7aed780ed6 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Mon, 15 Jun 2026 11:58:41 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2026-20253 test config --- .appsec-tests/vpatch-CVE-2026-20253/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-20253/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-20253/config.yaml b/.appsec-tests/vpatch-CVE-2026-20253/config.yaml new file mode 100644 index 00000000000..c9c7a7f68b3 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-20253/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-06-15 09:58:35 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-20253.yaml +nuclei_template: CVE-2026-20253.yaml From e59e6fa8d3914dd17fd46318e76c91fe0b273107 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Mon, 15 Jun 2026 11:58:43 +0200 Subject: [PATCH 3/4] Add CVE-2026-20253.yaml test --- .../vpatch-CVE-2026-20253/CVE-2026-20253.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-20253/CVE-2026-20253.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-20253/CVE-2026-20253.yaml b/.appsec-tests/vpatch-CVE-2026-20253/CVE-2026-20253.yaml new file mode 100644 index 00000000000..0e03577db22 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-20253/CVE-2026-20253.yaml @@ -0,0 +1,20 @@ +## autogenerated on 2026-06-15 09:58:35 +id: CVE-2026-20253 +info: + name: CVE-2026-20253 + author: crowdsec + severity: info + description: CVE-2026-20253 testing + tags: appsec-testing +http: + - raw: + - | + POST /en-US/splunkd/__raw/v1/postgres/recovery/backup HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic ZGFnOg== + + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 65b2b03b13324a95c86a6b7c2c1697ba320915d0 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Mon, 15 Jun 2026 11:58:45 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2026-20253 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index c4f95a425d8..73214f91b68 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -48,6 +48,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2023-35078 - crowdsecurity/vpatch-CVE-2023-35082 - crowdsecurity/vpatch-CVE-2023-24000 +- crowdsecurity/vpatch-CVE-2026-20253 - crowdsecurity/vpatch-CVE-2022-22954 - crowdsecurity/vpatch-CVE-2024-1212 - crowdsecurity/vpatch-symfony-profiler