PatchSiren cyber security CVE debrief
CVE-2026-2253 Hitachi Vantara CVE debrief
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, contain an XML External Entity (XXE) injection vulnerability due to improper restriction of XML external entity references. The vulnerability, published 2026-05-27, allows authenticated attackers with network access to potentially read arbitrary files or conduct server-side request forgery (SSRF) attacks via malicious XML input. The CVSS 3.1 score of 7.7 (HIGH) reflects network attack vector, low attack complexity, required low privileges, and high confidentiality impact with scope change. The weakness maps to CWE-611 (Improper Restriction of XML External Entity Reference).
- Vendor
- Hitachi Vantara
- Product
- Pentaho Data Integration and Analytics
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Pentaho Data Integration & Analytics versions 8.3.x, 9.3.x, or earlier 10.x releases; security teams responsible for ETL and analytics platform security; compliance officers tracking data exposure risks in business intelligence environments.
Technical summary
The vulnerability exists because Pentaho Data Integration & Analytics does not properly restrict XML external entity resolution in certain XML parsers. An attacker with low-privileged network access can submit crafted XML documents that cause the parser to resolve external entities, potentially leading to arbitrary file disclosure or SSRF. The fix in versions 10.2.0.7 and 11.0.0.0 properly restricts external entity resolution.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Hitachi Vantara Pentaho Data Integration & Analytics version 10.2.0.7 or 11.0.0.0 or later
- Review XML parsing configurations for external entity resolution settings
- Audit access logs for suspicious XML upload or processing activity
- Implement input validation and sanitization for XML data sources
- Consider network segmentation to limit exposure of Pentaho instances
Evidence notes
CVE description and CVSS vector confirm XXE vulnerability in XML parsers. Vendor advisory specifies affected versions and fixed releases. No CISA KEV entry present.
Official resources
-
CVE-2026-2253 CVE record
CVE.org
-
CVE-2026-2253 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Official vendor advisory published 2026-05-27 via Hitachi Vantara security notifications.