CVE Catalog

CVE-2025-11158

Critical
Published: Translated: NVD NIST

Summary

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to RCE.

Risk Assessment

The lack of restrictions on Groovy scripts poses a serious risk of remote code execution, which could lead to the compromise of organizational systems and data.

Recommendation

It is recommended to upgrade to version 10.2.0.6 or later and implement appropriate mechanisms to restrict user script insertion.

Original NVD description (English source)

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS