In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code.
https://research.splunk.com/application/d1d8fda6-874a-400f-82cf-dcbb59d8e4db/