Technical summary: This hunting analytic detects potential remote code execution via user-supplied XSLT in Splunk 9.1.x by scanning splunkd_ui logs for URIs that contain NO_BINARY_CHECK=1 and input.path=*.xsl or dispatch*.xsl, while excluding the splunkd_ui endpoint itself. The search decodes URL-encoded payloads, and derives an action from HTTP status codes (200 indicates Allowed; 303, 500, 401, 403, 404, 301, 406 indicate Blocked; all others Unknown). It then aggregates telemetry by source IP, user agent, destination URI, decoded payload, and host, enriching with geolocation data and timestamping first and last seen times. The rule operates on existing data sources and requires access to the _internal index; no new data sources need to be ingested. It is associated with MITRE technique T1210 and CVE-2023-46214, aligned with Splunk advisory SVD-2023-1104, and targets endpoint, web, and application contexts. A True Positive Test uses a Splunk internal UI access log dataset to validate detection efficacy. If exploited, the XSLT-based rce could lead to full system compromise and potential lateral movement within the environment, underscoring the need for investigation and remediation of suspicious XSLT handling.