CVE-2026-2253— Hitachi Vantara Pentaho Data Integration & Analytics - Improper Restriction of XML External Entity Reference
Possible ATT&CK Techniques 2AI
T1189 · Drive-by Compromise T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Hitachi Vantara | Pentaho Data Integration and Analytics | 1.0< 10.2.0.7 | affected |
10.0< 11.0.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-2253
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Hitachi Vantara Pentaho Data Integration & Analytics - Improper Restriction of XML External Entity Reference
Source: NVD (National Vulnerability Database)
Vulnerability Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
XML外部实体引用的不恰当限制(XXE)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Data Integration and Analytics | 1.0 ~ 10.2.0.7 | - |
II. Public POCs for CVE-2026-2253
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-2253
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-2253 (1)
Same Patch Batch · Hitachi Vantara · 2026-05-27 · 3 CVEs total
| CVE-2026-2254 | 6.3 MEDIUM | Hitachi Vantara Pentaho Data Integration & Analytics - Incorrect Permission Assignment for |
| CVE-2026-2255 | 4.3 MEDIUM | Hitachi Vantara Pentaho Data Integration & Analytics - Insufficiently Protected Credential |
IV. Related Vulnerabilities
Same product: Pentaho Data Integration and Analytics
- CVE-2026-2255
Hitachi Vantara Pentaho Data Integration & Analytics - Insuf - CVE-2026-2254
Hitachi Vantara Pentaho Data Integration & Analytics - Incor - CVE-2025-11159
Hitachi Vantara Pentaho Data Integration & Analytics - Depen - CVE-2025-11158
Hitachi Vantara Pentaho Data Integration & Analytics - Missi - CVE-2025-9121
Hitachi Vantara Pentaho Business Analytics Server - Deserial
Same vendor: Hitachi Vantara
- CVE-2026-2255
Hitachi Vantara Pentaho Data Integration & Analytics - Insuf - CVE-2026-2254
Hitachi Vantara Pentaho Data Integration & Analytics - Incor - CVE-2025-11159
Hitachi Vantara Pentaho Data Integration & Analytics - Depen - CVE-2025-11158
Hitachi Vantara Pentaho Data Integration & Analytics - Missi - CVE-2025-9121
Hitachi Vantara Pentaho Business Analytics Server - Deserial
Same weakness: CWE-611
- CVE-2026-3603
IBM Engineering Lifecycle Management - Jazz Foundation is vu - CVE-2026-44618
Apache CXF: XXE vulnerability in WS-Transfer functionality - CVE-2026-46722
XML External Entity Injection in extension "Faceted Search" - CVE-2026-44445
ERPNext: XML External Entity (XEE) Reference Vulnerability i - CVE-2026-41895
changedetection.io: XXE vulnerability in the changedetection
V. Comments for CVE-2026-2253
No comments yet