Primary

Context

Hitachi Vantara Pentaho Data Integration and Analytics Groovy Script Execution Vulnerability Allowing Remote Code Execution

Vulnerability

Patched

A remote code execution vulnerability exists in Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 10.2.0.6, including 9.3.x and 8.3.x. The vulnerability arises because the application does not properly restrict Groovy scripts in new PRPT reports published by users. This lack of restriction allows the insertion of arbitrary scripts, which can be executed remotely.

Impact

Exploitation of this vulnerability allows unauthorized users to execute arbitrary code on the server where Pentaho Data Integration and Analytics is running.

Remediation

Users are advised to upgrade to Hitachi Vantara Pentaho Data Integration & Analytics version 10.2.0.6 or later. This vulnerability is also addressed in Pentaho Data Integration & Analytics 11.0.

Added: Mar 10, 2026, 4:25 PM

Updated: Mar 10, 2026, 4:25 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

7.5

exploitability

7.0

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

7.5

exploitability

7.0

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hitachi Vantara Pentaho Data Integration and Analytics Groovy Script Execution Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

Hitachi Vantara Pentaho Data Integration & Analytics

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating