Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
Hitachi Vantara Pentaho: Unrestricted Scripts in Reports Allow Remote Code Execution
CVE-2025-11158
Summary
Pentaho Data Integration & Analytics versions before 10.2.0.6 allow users to insert malicious code into reports, which can lead to unauthorized access to your system and data. This means attackers could potentially break into your system and take control of it. Update to version 10.2.0.6 or later to fix this issue.
Original title
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion o...
Original description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.
nvd CVSS3.1
9.1
Vulnerability type
CWE-862
Missing Authorization
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026