EIP-2026-119683

PRE-CVE

Pentaho < 4.5.0 - User Console XML Injection

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-119683. PoCs published by K.d Long.

AI-analyzed exploit summary The exploit demonstrates an XML External Entity (XXE) injection vulnerability in Pentaho BI User Console, allowing arbitrary file disclosure via a crafted POST request to the '/pentaho/content/dashboards' endpoint.

Description

Pentaho < 4.5.0 - User Console XML Injection

Exploits (1)

exploitdb WORKING POC
by K.d Long · textwebappsxml
https://www.exploit-db.com/exploits/36132

The exploit demonstrates an XML External Entity (XXE) injection vulnerability in Pentaho BI User Console, allowing arbitrary file disclosure via a crafted POST request to the '/pentaho/content/dashboards' endpoint.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Pentaho BI User Console < 4.5.0
Auth required
Prerequisites: Valid session cookie (JSESSIONID) · Access to the '/pentaho/content/dashboards' endpoint
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026