External Script Execution Vulnerability in Hitachi Vantara Pentaho Data Integration & Analytics
CVE-2025-11159

9.1CRITICAL

Key Information:

Vendor

Hitachi
Status
Pentaho Data Integration And Analytics
Vendor
CVE Published:
13 May 2026

What is CVE-2025-11159?

Hitachi Vantara's Pentaho Data Integration & Analytics is susceptible to an external script execution vulnerability within its JDBC driver for H2 databases. This issue emerges when a new connection is established by a data source administrator, possibly allowing unauthorized actions through scripts. Organizations using this software should take immediate action to evaluate their risk and enhance their security measures.

Affected Version(s)

Pentaho Data Integration and Analytics 1.0 < 10.2.0.7

Pentaho Data Integration and Analytics 1.0 < 11.0

References

https://support.pentaho.com/hc/en-us/articles/39954640408...

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security
.