CVE-2026-2253
Analyzed
Analyzed - Analysis Complete
XML External Entity Injection in Hitachi Vantara Pentaho Data Integration
Vulnerability report for CVE-2026-2253, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-27
Last updated on: 2026-06-18
Assigner: Hitachi Vantara
Description
Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hitachi | vantara_pentaho_data_integration_and_analytics | to 10.2.0.7 (exc) |
| hitachi | vantara_pentaho_data_integration_and_analytics | From 10.2.0.8 (exc) to 11.0.0.0 (exc) |
| hitachi | vantara_pentaho_data_integration_and_analytics | 8.3 |
| hitachi | vantara_pentaho_data_integration_and_analytics | 9.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |