CVE-2025-11159 PUBLISHED

Hitachi Vantara Pentaho Data Integration & Analytics - Dependency on Vulnerable Third-Party Component

Assigner: HITVAN
Reserved: 29.09.2025 Published: 13.05.2026 Updated: 13.05.2026

Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Hitachi Vantara
Product	Pentaho Data Integration and Analytics
Versions	Default: unaffected affected from 1.0 to 10.2.0.7 (excl.) affected from 1.0 to 11.0 (excl.)

Credits

Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security finder

References

https://support.pentaho.com/hc/en-us/articles/39954640408077--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Dependency-on-Vulnerable-Third-Party-Component-Versions-before-10-2-0-7-and-11-0-0-0-Impacted-CVE-2025-11159

Problem Types

CWE-1395: Dependency on Vulnerable Third-Party Component CWE

Impacts

CAPEC-310 Scanning for Vulnerable Software