CVE-2026-2253: CWE-611 Improper restriction of XML external entity reference in Hitachi Vantara Pentaho Data Integration and Analytics
CVE-2026-2253 is a high-severity vulnerability in Hitachi Vantara Pentaho Data Integration and Analytics prior to versions 10. 2. 0. 7 and 11. 0. 0. 0. The issue involves improper restriction of XML external entity (XXE) references, allowing certain XML parsers to resolve external entities. This can lead to a confidentiality impact without affecting integrity or availability. There is no vendor-provided patch or official remediation guidance available at this time, and no known exploits have been reported in the wild.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-2253) affects Hitachi Vantara Pentaho Data Integration and Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x. It is classified as CWE-611, indicating improper restriction of XML external entity references. The affected software does not prevent certain XML parsers from resolving external entities, which can lead to unauthorized disclosure of information. The CVSS v3.1 base score is 7.7, reflecting a high severity with network attack vector, low attack complexity, requiring low privileges, no user interaction, and a confidentiality impact only. The vulnerability has been published but no official fix or patch has been documented in the provided data.
Potential Impact
The vulnerability allows attackers with low privileges to exploit XML external entity resolution to gain unauthorized access to confidential information processed by the affected Pentaho Data Integration and Analytics versions. There is no impact on integrity or availability according to the CVSS vector. No known exploits are reported in the wild, so active exploitation is not confirmed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is documented in the provided information, users should monitor Hitachi Vantara's advisories for updates. Until a patch is available, consider restricting access to the affected software and carefully controlling XML input sources to mitigate potential risks.
CVE-2026-2253: CWE-611 Improper restriction of XML external entity reference in Hitachi Vantara Pentaho Data Integration and Analytics
Description
CVE-2026-2253 is a high-severity vulnerability in Hitachi Vantara Pentaho Data Integration and Analytics prior to versions 10. 2. 0. 7 and 11. 0. 0. 0. The issue involves improper restriction of XML external entity (XXE) references, allowing certain XML parsers to resolve external entities. This can lead to a confidentiality impact without affecting integrity or availability. There is no vendor-provided patch or official remediation guidance available at this time, and no known exploits have been reported in the wild.
CVSS v3.1
Score 7.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-2253) affects Hitachi Vantara Pentaho Data Integration and Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x. It is classified as CWE-611, indicating improper restriction of XML external entity references. The affected software does not prevent certain XML parsers from resolving external entities, which can lead to unauthorized disclosure of information. The CVSS v3.1 base score is 7.7, reflecting a high severity with network attack vector, low attack complexity, requiring low privileges, no user interaction, and a confidentiality impact only. The vulnerability has been published but no official fix or patch has been documented in the provided data.
Potential Impact
The vulnerability allows attackers with low privileges to exploit XML external entity resolution to gain unauthorized access to confidential information processed by the affected Pentaho Data Integration and Analytics versions. There is no impact on integrity or availability according to the CVSS vector. No known exploits are reported in the wild, so active exploitation is not confirmed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is documented in the provided information, users should monitor Hitachi Vantara's advisories for updates. Until a patch is available, consider restricting access to the affected software and carefully controlling XML input sources to mitigate potential risks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- HITVAN
- Date Reserved
- 2026-02-09T15:09:06.755Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a16660ce29bf47b5090357c
Added to database: 5/27/2026, 3:33:32 AM
Last enriched: 5/27/2026, 3:48:28 AM
Last updated: 5/27/2026, 4:38:30 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.