Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from Vendor (HITVAN) · only source for this CVE.
CVSS VectorVendor: HITVAN
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.
AnalysisAI
External XML entity resolution in Hitachi Vantara Pentaho Data Integration & Analytics lets an authenticated, low-privileged attacker submit crafted XML that the application's parser resolves, disclosing sensitive local files and enabling server-side request forgery against internal systems. All releases before 10.2.0.7 are affected, as are 11.x branches before 11.0.0.0, explicitly including the 9.3.x and 8.3.x lines. There is no public exploit identified at time of analysis, and the EPSS exploitation probability is very low (0.03%, 8th percentile).
Remote code execution in Pentaho Data Integration & Analytics affects all versions through vulnerable H2 database JDBC d
Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including 8.3.x does not restr
Missing ACL enforcement on Hitachi Vantara Pentaho Data Integration & Analytics API endpoints allows authenticated low-p
Plaintext credential exposure in Hitachi Vantara Pentaho Data Integration & Analytics allows authenticated network users
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32047
GHSA-p37q-jm8v-rgqf