EIP-2026-104390

PRE-CVE

Pentaho BI 1.x - Multiple Cross-Site Scripting / Information Disclosure Vulnerabilities

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104390. PoCs published by euronymous.

AI-analyzed exploit summary This is a functional proof-of-concept for a reflected XSS vulnerability in Pentaho BI. The exploit demonstrates how an attacker can inject arbitrary JavaScript code via the 'outputType' parameter, which is then executed in the context of the victim's browser session.

Description

Pentaho BI 1.x - Multiple Cross-Site Scripting / Information Disclosure Vulnerabilities

Exploits (1)

exploitdb WORKING POC VERIFIED

by euronymous · textwebappsmultiple

https://www.exploit-db.com/exploits/33284

View Code ZIP pw:eip

This is a functional proof-of-concept for a reflected XSS vulnerability in Pentaho BI. The exploit demonstrates how an attacker can inject arbitrary JavaScript code via the 'outputType' parameter, which is then executed in the context of the victim's browser session.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Pentaho BI 1.7.0.1062

No auth needed

Prerequisites: Victim must visit a crafted URL or be tricked into clicking a malicious link

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026