Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.
Published: 2026-05-27
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CWE-611 (XML External Entity) weakness that allows an attacker to supply XML data containing external entity references. Pentaho Data Integration and Analytics components do not block these references, enabling the attacker to read arbitrary files on the system, resulting in information disclosure. Based on the description, it is inferred that the XML parser may also consume excessive resources, potentially leading to denial-of-service. The attack does not require administrative credentials; it only requires the ability to submit XML documents to the affected service.

Affected Systems

Affected systems are Hitachi Vantara Pentaho Data Integration and Analytics prior to version 10.2.0.7 and 11.0.0.0, including the 9.3.x and 8.3.x branches. These editions lack the configuration changes that disable external entity processing, leaving the XML subsystem vulnerable.

Risk and Exploitability

The CVSS score of 7.7 indicates a high impact with substantial exploitation potential. Since no EPSS metric is available and the vulnerability is not listed in the CISA KEV catalog, the current exploitation likelihood is uncertain but not negligible. The likely attack vector is an attacker supplying XML payloads to the Pentaho ETL or analytics service.

Generated by OpenCVE AI on May 27, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Pentaho Data Integration and Analytics version 10.2.0.7, 11.0.0.0, or later where external entity processing is disabled by default.
  • If an upgrade cannot be performed immediately, reconfigure the underlying XML parser to disallow DOCTYPE declarations and external entity resolution (e.g. set FEATURE_SECURE_PROCESSING to true).
  • Apply any vendor‑released security patch or configuration update that addresses XML External Entity handling, as referenced in the Hitachi Vantara support notice.

Generated by OpenCVE AI on May 27, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Hitachi
Hitachi vantara Pentaho Data Integration And Analytics
Vendors & Products Hitachi
Hitachi vantara Pentaho Data Integration And Analytics

Wed, 27 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.
Title Hitachi Vantara Pentaho Data Integration & Analytics - Improper Restriction of XML External Entity Reference
Weaknesses CWE-611
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Hitachi Vantara Pentaho Data Integration And Analytics
cve-icon MITRE

Status: PUBLISHED

Assigner: HITVAN

Published:

Updated: 2026-05-27T18:00:59.490Z

Reserved: 2026-02-09T15:09:06.755Z

Link: CVE-2026-2253

cve-icon Vulnrichment

Updated: 2026-05-27T18:00:55.695Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T04:16:26.417

Modified: 2026-05-27T19:55:50.070

Link: CVE-2026-2253

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T06:00:11Z

Weaknesses