What is CVE-2025-11158?

CVE-2025-11158 is a critical-severity vulnerability in Hitachi Vantara_pentaho_data_integration_and_analytics, classified under Missing Authorization. CVSS score: 9.1/10. Published 2026-03-10.

How severe is CVE-2025-11158?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Auth bypass in Hitachi Vantara_pentaho_data_integration_and_analytics

CVE-2025-11158

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.

Vulnerability class: Broken Access Control

EPSS: 0.000 (5.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Hitachi Vantara_pentaho_data_integration_and_analytics
Hitachi Vantara Pentaho Data Integration And Analytics — versions 1.0, 10.0

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

security.vulnerabilities@hitachivantara.com (vendor-advisory, Third Party Advisory)
af854a3a-2127-422b-91ae-364da2661108 (Third Party Advisory)

Frequently asked questions

What is CVE-2025-11158?: CVE-2025-11158 is a critical-severity vulnerability in Hitachi Vantara_pentaho_data_integration_and_analytics, classified under Missing Authorization. CVSS score: 9.1/10. Published 2026-03-10.
How severe is CVE-2025-11158?: Critical severity. CVSS v3 base score is 9.1 out of 10.