CVE-2025-11158
CriticalSummary
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to RCE.
Risk Assessment
The lack of restrictions on Groovy scripts poses a serious risk of remote code execution, which could lead to the compromise of organizational systems and data.
Recommendation
It is recommended to upgrade to version 10.2.0.6 or later and implement appropriate mechanisms to restrict user script insertion.
Original NVD description (English source)
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.

