PT-2026-24134 · Hitachi Vantara · Pentaho Data Integration & Analytics
Published
2026-03-09
·
Updated
2026-05-06
·
CVE-2025-11158
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 10.2.0.6
Hitachi Vantara Pentaho Data Integration & Analytics versions 8.3.x
Hitachi Vantara Pentaho Data Integration & Analytics versions 9.3.x
Description
The software does not properly restrict Groovy scripts within new PRPT reports published by users. This allows for the insertion of arbitrary scripts, potentially leading to Remote Code Execution (RCE). The issue affects authenticated users.
Recommendations
Update to version 10.2.0.6 or later.
Fix
RCE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pentaho Data Integration & Analytics