← back
CVE-2025-9121

Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data

CVSS 8.8 HIGHEPSS 0.4%CWE-502
Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Hitachi Vantara · Pentaho Data Integration and Analytics

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://support.pentaho.com/hc/en-us/articles/41832536185613--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-4-Impacted-CVE-2025-9121