Home / Vulnerability Intelligence / CVE-2025-11158

CVE-2025-11158 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 11, 2026

Hitachi Vantara Pentaho Data Integration & Analytics - Remote Code Execution

Published: March 10, 2026Updated: March 11, 2026Remote Exploitable

Overview

Hitachi Vantara Pentaho Data Integration & Analytics < 10.2.0.6 contains a remote code execution caused by unrestricted Groovy scripts in new PRPT reports, letting attackers execute arbitrary scripts remotely, exploit requires report publishing privileges.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 3.6%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary code remotely, potentially leading to full system compromise.

Mitigation

Update to version 10.2.0.6 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 10, 2026

🔴 CVE-2025-11158 - Critical (9.1) Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-11158/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2025-11158
Severity: Critical
CVSS Score: 9.1
Type: command_injection
Status: unconfirmed
EPSS: 3.6%
Social Posts: 1

CWE

CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score

3.6%Probability of exploitation in the next 30 days