CVE-2025-11158 | THREATINT

Description

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.

PUBLISHED Reserved 2025-09-29 | Published 2026-03-09 | Updated 2026-03-10 | Assigner HITVAN

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-862: Missing Authorization

Product status

Default status

unaffected

1.0 (maven)

affected

10.0 (maven) before 10.2.0.6

affected

Credits

Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security finder

References

www.ox.security/blog/cve-2025-11158/

support.pentaho.com/...fore-10-2-0-6-impacted-CVE-2025-11158 vendor-advisory

cve.org (CVE-2025-11158)

nvd.nist.gov (CVE-2025-11158)

Download JSON