High-severity XSS fixed in Hitachi Ops Center Analyzer
TL;DR — A High-severity XSS in Hitachi Ops Center Analyzer and Infrastructure Analytics Advisor can let a low-privilege user trigger script execution in another user’s browser, risking UI/session data exposure.
What happened
Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer are enterprise IT operations/analytics products used to collect, analyze, and visualize infrastructure telemetry and operational data.
CVE-2026-2072 is a cross-site scripting (XSS) vulnerability affecting Hitachi Infrastructure Analytics Advisor (Analytics probe component) and Hitachi Ops Center Analyzer. The CVE record reports CVSS v3.1 8.2 (High) with AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L, indicating the vulnerable UI path is reachable over the network, requires low privileges, and requires user interaction, with a high confidentiality impact.
XSS in operations consoles is a recurring enterprise risk because it can turn “one compromised low-privilege account” into a path for session/data theft against more privileged users who routinely browse these UIs.
Who is impacted
- Organizations running Hitachi Infrastructure Analytics Advisor (Analytics probe component) on Linux (x64).
- Organizations running Hitachi Ops Center Analyzer on Linux (x64) in the affected version range.
| Component | Affected versions (per Hitachi CVE record / advisory) | Patched versions (per Hitachi advisory) |
|---|---|---|
| Hitachi Infrastructure Analytics Advisor (Analytics probe) | All versions (Linux x64) | Not listed in the referenced Hitachi advisory page |
| Hitachi Ops Center Analyzer | >= 10.0.0-00, < 11.0.5-00 (Linux x64) | 11.0.5-00 |
Vendor advisory referenced by the CVE record: hitachi-sec-2026-114 (URL: https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-114/index.html).
What to do now
- Follow vendor remediation guidance and apply the vendor-provided fixed product version(s).
"Affected products and versions are listed below. Please upgrade your version to the appropriate version."
- For Hitachi Ops Center Analyzer, prioritize upgrades to the fixed release identified by Hitachi.
- For Hitachi Infrastructure Analytics Advisor, treat the Analytics probe component as potentially still exposed until you confirm a fixed release (or compensating guidance) via Hitachi support / the latest advisory revision.
- Reduce exposure while patching: restrict UI access to trusted networks/users (especially accounts that can view high-value operational data) and monitor for suspicious browser-driven activity originating from the Analyzer/Advisor UI.
"Workarounds None."
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.