Skip to main content

Pentaho Data Integration And Analytics CVE-2026-2253

| EUVDEUVD-2026-32047 HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2026-05-27 HITVAN GHSA-p37q-jm8v-rgqf
7.7
CVSS 3.1 · Vendor: HITVAN
Share

Severity by source

Vendor (HITVAN) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from Vendor (HITVAN) · only source for this CVE.

CVSS VectorVendor: HITVAN

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 20:38 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.

AnalysisAI

External XML entity resolution in Hitachi Vantara Pentaho Data Integration & Analytics lets an authenticated, low-privileged attacker submit crafted XML that the application's parser resolves, disclosing sensitive local files and enabling server-side request forgery against internal systems. All releases before 10.2.0.7 are affected, as are 11.x branches before 11.0.0.0, explicitly including the 9.3.x and 8.3.x lines. There is no public exploit identified at time of analysis, and the EPSS exploitation probability is very low (0.03%, 8th percentile).

Share

CVE-2026-2253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy