Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Description
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hitachi Vantara Pentaho BA Server before 9.4.0.1 and 9.3.0.2 allows authenticated users with publishing privileges to execute arbitrary scripts via the CDE plugin.
Vulnerability
The Community Dashboard Editor (CDE) plugin in Hitachi Vantara Pentaho Business Analytics Server contains a static code injection vulnerability (CWE-96). System administrators cannot disable scripting capabilities of the plugin. Affected versions are prior to 9.4.0.1 and 9.3.0.2, including the 8.3.x line [1].
Exploitation
An attacker must be an authenticated user with sufficient publishing privileges. By embedding scripts in dashboards via the CDE plugin, the attacker can cause arbitrary code execution on clients that view the dashboard [1].
Impact
Successful exploitation allows the attacker to execute arbitrary code on client machines, leading to potential information disclosure, data manipulation, or further compromise of client systems [1].
Mitigation
The defect can be mitigated by removing the CDE plugin. The recommended fix is to upgrade to Pentaho BA Server version 9.3.0.2 or later (Long Term Support) or version 9.4.0.1 or later [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <9.4.0.1, <9.3.0.2
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.