CVE-2026-2253
XML External Entity Injection in Hitachi Vantara Pentaho Data Integration
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Hitachi Vantara
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hitachi_vantara | pentaho_data_integration_and_analytics | to 10.2.0.7 (exc) |
| hitachi_vantara | pentaho_data_integration_and_analytics | From 9.3.0 (inc) to 10.2.0.7 (exc) |
| hitachi_vantara | pentaho_data_integration_and_analytics | From 8.3.0 (inc) to 10.2.0.7 (exc) |
| hitachi_vantara | pentaho_data_integration_and_analytics | to 11.0.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including versions 9.3.x and 8.3.x. It involves certain XML parsers that do not prevent the resolution of external entities, which can lead to security issues.
How can this vulnerability impact me? :
The vulnerability has a CVSS v3.1 base score of 7.7, indicating a high severity. It allows an attacker with low privileges and no user interaction to exploit the system remotely over the network. The impact is primarily on confidentiality, potentially allowing unauthorized access to sensitive data through the resolution of external XML entities.