CVE-2025-11159

Critical

Published: 13 May 2026

Published

13 May 2026

Modified

13 May 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0006 20.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11159 is a critical-severity an unspecified weakness vulnerability in Pentaho Data Integration (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): None listed

Affected Products

Pentaho

Data Integration

inferred from references and description; NVD did not file a CPE for this CVE

References

https://support.pentaho.com/hc/en-us/articles/39954640408077--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Dependency-on-Vulnerable-Third-Party-Component-Versions-before-10-2-0-7-and-11-0-0-0-Impacted-CVE-2025-11159
security.vulnerabilities@hitachivantara.com