Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    76 vulnerabilities by HCLSoftware

    CVE-2026-56460 (GCVE-0-2026-56460)

    Vulnerability from nvd – Published: 2026-07-09 09:09 – Updated: 2026-07-09 12:23
    VLAI
    Title
    HCL DevOps Deploy / HCL Launch is susceptible to an Insertion of Sensitive Information Into Sent Data vulnerability
    Summary
    HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of sensitive information into sent data
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware HCL DevOps Deploy / HCL Launch Affected: 7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0
    Create a notification for this product.
    Date Public
    2026-07-09 09:09
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56460",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T12:23:04.961787Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T12:23:15.700Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "HCL DevOps Deploy / HCL Launch",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2026-07-09T09:09:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.\u003c/p\u003e"
                }
              ],
              "value": "HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201 Insertion of sensitive information into sent data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T09:09:42.386Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131697"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL DevOps Deploy / HCL Launch is susceptible to an Insertion of Sensitive Information Into Sent Data vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-56460",
        "datePublished": "2026-07-09T09:09:42.386Z",
        "dateReserved": "2026-06-22T13:38:32.650Z",
        "dateUpdated": "2026-07-09T12:23:15.700Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56459 (GCVE-0-2026-56459)

    Vulnerability from nvd – Published: 2026-07-09 08:25 – Updated: 2026-07-09 12:37
    VLAI
    Title
    HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure
    Summary
    HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure.  The application stores potentially sensitive information in log files that could be read by a local user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of sensitive information into log file
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware HCL DevOps Deploy / HCL Launch Affected: 7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0
    Create a notification for this product.
    Date Public
    2026-07-09 08:25
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56459",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T12:37:02.972180Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T12:37:09.372Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "HCL DevOps Deploy / HCL Launch",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2026-07-09T08:25:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure. \u0026nbsp;The application stores potentially sensitive information in log files that could be read by a local user.\u003c/p\u003e"
                }
              ],
              "value": "HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure. \u00a0The application stores potentially sensitive information in log files that could be read by a local user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of sensitive information into log file",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T08:25:50.779Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131696"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-56459",
        "datePublished": "2026-07-09T08:25:50.779Z",
        "dateReserved": "2026-06-22T13:38:32.650Z",
        "dateUpdated": "2026-07-09T12:37:09.372Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56458 (GCVE-0-2026-56458)

    Vulnerability from nvd – Published: 2026-07-09 08:51 – Updated: 2026-07-09 12:34
    VLAI
    Title
    HCL DevOps Deploy is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains
    Summary
    HCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-942 - Permissive cross-domain security policy with untrusted domains
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware HCL DevOps Deploy Affected: 8.1-8.1.2.6, 8.2-8.2.1.0
    Create a notification for this product.
    Date Public
    2026-07-09 08:50
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56458",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T12:34:18.620355Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T12:34:23.917Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "HCL DevOps Deploy",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1-8.1.2.6, 8.2-8.2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2026-07-09T08:50:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.\u003c/p\u003e"
                }
              ],
              "value": "HCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-942",
                  "description": "CWE-942 Permissive cross-domain security policy with untrusted domains",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T08:51:07.571Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131695"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL DevOps Deploy is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-56458",
        "datePublished": "2026-07-09T08:51:07.571Z",
        "dateReserved": "2026-06-22T13:38:32.649Z",
        "dateUpdated": "2026-07-09T12:34:23.917Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56457 (GCVE-0-2026-56457)

    Vulnerability from nvd – Published: 2026-06-29 13:18 – Updated: 2026-06-29 13:58
    VLAI
    Title
    HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information
    Summary
    HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of sensitive information into log file
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware HCL DevOps Deploy / HCL Launch Affected: 7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0
    Create a notification for this product.
    Date Public
    2026-06-29 13:18
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56457",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:58:36.273301Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:58:43.773Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "HCL DevOps Deploy / HCL Launch",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2026-06-29T13:18:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.\u003c/p\u003e"
                }
              ],
              "value": "HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of sensitive information into log file",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-29T13:18:59.104Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131694"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-56457",
        "datePublished": "2026-06-29T13:18:59.104Z",
        "dateReserved": "2026-06-22T13:38:32.649Z",
        "dateUpdated": "2026-06-29T13:58:43.773Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59868 (GCVE-0-2025-59868)

    Vulnerability from nvd – Published: 2026-06-27 01:43 – Updated: 2026-06-29 13:54
    VLAI
    Title
    HCL Traveler for Microsoft Outlook (HTMO) is susceptible to sensitive data exposure
    Summary
    HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then attempt additional attacks and cause unknown behavior in the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of sensitive information into log file
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-27 01:43
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59868",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:54:10.444124Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:54:24.746Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Traveler for Microsoft Outlook",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c3.0.15"
                }
              ]
            }
          ],
          "datePublic": "2026-06-27T01:43:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then attempt additional attacks and cause unknown behavior in the application.\u003c/p\u003e"
                }
              ],
              "value": "HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then attempt additional attacks and cause unknown behavior in the application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of sensitive information into log file",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-27T01:43:37.532Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131419"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Traveler for Microsoft Outlook (HTMO) is susceptible to sensitive data exposure",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2025-59868",
        "datePublished": "2026-06-27T01:43:37.532Z",
        "dateReserved": "2025-09-22T15:00:11.102Z",
        "dateUpdated": "2026-06-29T13:54:24.746Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-37524 (GCVE-0-2023-37524)

    Vulnerability from nvd – Published: 2026-06-27 01:19 – Updated: 2026-06-29 13:21
    VLAI
    Title
    HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service
    Summary
    HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service.  Since .NET Framework 4.5 has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses through vulnerable third-party components.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1104 - Use of unmaintained third party components
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-27 01:19
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-37524",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:20:59.878251Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:21:14.982Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Traveler for Microsoft Outlook",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c3.0.6"
                }
              ]
            }
          ],
          "datePublic": "2026-06-27T01:19:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. \u0026nbsp;Since .NET Framework 4.5 has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses through vulnerable third-party components.\u0026nbsp;\u003c/p\u003e"
                }
              ],
              "value": "HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. \u00a0Since .NET Framework 4.5 has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses through vulnerable third-party components."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1104",
                  "description": "CWE-1104 Use of unmaintained third party components",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-27T01:30:26.731Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131418"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2023-37524",
        "datePublished": "2026-06-27T01:19:30.265Z",
        "dateReserved": "2023-07-06T16:12:30.393Z",
        "dateUpdated": "2026-06-29T13:21:14.982Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-23581 (GCVE-0-2024-23581)

    Vulnerability from nvd – Published: 2026-06-26 20:39 – Updated: 2026-06-29 13:19
    VLAI
    Title
    HCL Traveler for Microsoft Outlook (HTMO) is susceptible to an application modification vulnerability
    Summary
    The HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper verification of cryptographic signature
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-26 20:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23581",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:19:14.119142Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:19:20.629Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Traveler for Microsoft Outlook",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.0.9"
                }
              ]
            }
          ],
          "datePublic": "2026-06-26T20:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application.\u003c/p\u003e"
                }
              ],
              "value": "The HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347 Improper verification of cryptographic signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T23:23:17.558Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131417"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Traveler for Microsoft Outlook (HTMO) is susceptible to an application modification vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2024-23581",
        "datePublished": "2026-06-26T20:39:48.964Z",
        "dateReserved": "2024-01-18T07:30:10.661Z",
        "dateUpdated": "2026-06-29T13:19:20.629Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15619 (GCVE-0-2025-15619)

    Vulnerability from nvd – Published: 2026-06-23 15:17 – Updated: 2026-06-23 15:46
    VLAI
    Title
    HCL Connections is vulnerable to broken access control
    Summary
    HCL Connections contains a broken access control vulnerability that may allow an unauthorized user to view data in a single specific scenario.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper access control
    • CWE-319 - Cleartext transmission of sensitive information
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware Connections Affected: 7.0, 8.0
    Create a notification for this product.
    Date Public
    2026-06-23 15:17
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15619",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T15:46:45.426418Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T15:46:52.076Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Connections",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "7.0, 8.0"
                }
              ]
            }
          ],
          "datePublic": "2026-06-23T15:17:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "HCL Connections contains a broken access control vulnerability that may allow an unauthorized user to view data in a single specific scenario."
                }
              ],
              "value": "HCL Connections contains a broken access control vulnerability that may allow an unauthorized user to view data in a single specific scenario."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284  Improper access control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319 Cleartext transmission of sensitive information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-23T15:17:29.534Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130163"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Connections is vulnerable to broken access control",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2025-15619",
        "datePublished": "2026-06-23T15:17:29.534Z",
        "dateReserved": "2026-04-01T15:59:36.219Z",
        "dateUpdated": "2026-06-23T15:46:52.076Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21768 (GCVE-0-2026-21768)

    Vulnerability from nvd – Published: 2026-06-19 14:50 – Updated: 2026-06-22 19:36
    VLAI
    Title
    HCL Verse for Android is susceptible to an injection vulnerability
    Summary
    The compose-rich-editor library (v1.0.0-rc14) used in HCL Verse for Android's rich text email composition fails to properly validate all HTML input thereby allowing malicious content to be executed in certain situations.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-19 14:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21768",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T19:36:14.172439Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T19:36:21.238Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Verse for Android",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "14.5.10"
                }
              ]
            }
          ],
          "datePublic": "2026-06-19T14:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The compose-rich-editor library (v1.0.0-rc14) used in HCL Verse for Android\u0027s rich text email composition fails to properly validate all HTML input thereby allowing malicious content to be executed in certain situations."
                }
              ],
              "value": "The compose-rich-editor library (v1.0.0-rc14) used in HCL Verse for Android\u0027s rich text email composition fails to properly validate all HTML input thereby allowing malicious content to be executed in certain situations."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-19T14:50:02.931Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130866"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Verse for Android is susceptible to an injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-21768",
        "datePublished": "2026-06-19T14:50:02.931Z",
        "dateReserved": "2026-01-05T16:07:58.367Z",
        "dateUpdated": "2026-06-22T19:36:21.238Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21837 (GCVE-0-2026-21837)

    Vulnerability from nvd – Published: 2026-06-05 05:50 – Updated: 2026-06-09 14:38
    VLAI
    Title
    HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API
    Summary
    HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API.  An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-05 05:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21837",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T13:22:58.176587Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T14:38:17.102Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Digital Experience",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "9.5"
                }
              ]
            }
          ],
          "datePublic": "2026-06-05T05:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API.\u0026nbsp; An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise."
                }
              ],
              "value": "HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API.\u00a0 An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T05:50:58.161Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130849"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-21837",
        "datePublished": "2026-06-05T05:50:58.161Z",
        "dateReserved": "2026-01-05T16:08:25.000Z",
        "dateUpdated": "2026-06-09T14:38:17.102Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21826 (GCVE-0-2026-21826)

    Vulnerability from nvd – Published: 2026-06-05 05:58 – Updated: 2026-06-09 14:38
    VLAI
    Title
    HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection
    Summary
    HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection.  An attacker can manipulate the Host header and cause the application to behave in unexpected ways.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL redirection to untrusted site ('open redirect')
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-05 05:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21826",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T13:28:00.599027Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T14:38:10.191Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Digital Experience \u0026 DX Compose",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "9.5"
                }
              ]
            }
          ],
          "datePublic": "2026-06-05T05:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. \u0026nbsp;An attacker can manipulate the Host header\u0026nbsp;and cause the application to behave in unexpected ways."
                }
              ],
              "value": "HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. \u00a0An attacker can manipulate the Host header\u00a0and cause the application to behave in unexpected ways."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T05:58:31.449Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130849"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-21826",
        "datePublished": "2026-06-05T05:58:31.449Z",
        "dateReserved": "2026-01-05T16:08:22.255Z",
        "dateUpdated": "2026-06-09T14:38:10.191Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21825 (GCVE-0-2026-21825)

    Vulnerability from nvd – Published: 2026-06-05 06:03 – Updated: 2026-06-09 14:38
    VLAI
    Title
    HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center
    Summary
    HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center.  An attacker could execute arbitrary JavaScript in the victim's browser.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-05 05:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21825",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T13:28:16.871212Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T14:38:04.092Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "DX Compose",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "9.5"
                }
              ]
            }
          ],
          "datePublic": "2026-06-05T05:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center.\u0026nbsp; An attacker could execute arbitrary JavaScript in the victim\u0027s browser."
                }
              ],
              "value": "HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center.\u00a0 An attacker could execute arbitrary JavaScript in the victim\u0027s browser."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T06:03:11.053Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130849"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-21825",
        "datePublished": "2026-06-05T06:03:11.053Z",
        "dateReserved": "2026-01-05T16:08:22.254Z",
        "dateUpdated": "2026-06-09T14:38:04.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62338 (GCVE-0-2025-62338)

    Vulnerability from nvd – Published: 2026-06-04 12:41 – Updated: 2026-06-05 04:44
    VLAI
    Title
    HCL BigFix Cloud Lifecycle Management is affected by lack of input validation
    Summary
    HCL BigFix Cloud Lifecycle Management is affected by lack of input validation.  This low-level flaw allows unauthorized access and may lead to information exposure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE 200 Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-04 17:25
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62338",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-04T13:54:16.690696Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T13:54:44.254Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "BigFix Cloud Lifecycle Management",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "10.9.1 and 10.9.2"
                }
              ]
            }
          ],
          "datePublic": "2026-06-04T17:25:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "HCL BigFix Cloud Lifecycle Management is affected by lack of input validation.\u0026nbsp; This low-level flaw allows unauthorized access and may lead to information exposure."
                }
              ],
              "value": "HCL BigFix Cloud Lifecycle Management is affected by lack of input validation.\u00a0 This low-level flaw allows unauthorized access and may lead to information exposure."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE 200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T04:44:15.623Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130802"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL BigFix Cloud Lifecycle Management is affected by lack of input validation",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2025-62338",
        "datePublished": "2026-06-04T12:41:38.302Z",
        "dateReserved": "2025-10-10T09:04:27.770Z",
        "dateUpdated": "2026-06-05T04:44:15.623Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21785 (GCVE-0-2026-21785)

    Vulnerability from nvd – Published: 2026-05-27 20:15 – Updated: 2026-05-28 13:13
    VLAI
    Title
    HCL BigFix Remote Control Server WebUI is affected by a misconfigured Content Security Policy
    Summary
    A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1021 - Improper restriction of rendered UI layers or frames
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware BigFix Remote Control Server Affected: <= versions 10.1.0.0442
    Create a notification for this product.
    Date Public
    2026-05-27 20:15
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21785",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T13:12:44.221065Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T13:13:55.021Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "BigFix Remote Control Server",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= versions 10.1.0.0442"
                }
              ]
            }
          ],
          "datePublic": "2026-05-27T20:15:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources."
                }
              ],
              "value": "A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1021",
                  "description": "CWE-1021 Improper restriction of rendered UI layers or frames",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T20:15:56.441Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130581"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL BigFix Remote Control Server WebUI is affected by a misconfigured Content Security Policy",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-21785",
        "datePublished": "2026-05-27T20:15:56.441Z",
        "dateReserved": "2026-01-05T16:08:02.276Z",
        "dateUpdated": "2026-05-28T13:13:55.021Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21836 (GCVE-0-2026-21836)

    Vulnerability from nvd – Published: 2026-05-20 13:37 – Updated: 2026-05-21 14:00
    VLAI
    Title
    HCL DominoIQ is affected by broken access control
    Summary
    The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view sensitive data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware DominoIQ Affected: 14.5.1
    Create a notification for this product.
    Date Public
    2026-05-20 13:36
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21836",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T14:00:19.829635Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T14:00:30.209Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "DominoIQ",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "14.5.1"
                }
              ]
            }
          ],
          "datePublic": "2026-05-20T13:36:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe HCL DominoIQ RAG feature is\u0026nbsp;affected by\u0026nbsp;a Broken Access Control vulnerability. \u0026nbsp;Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. \u0026nbsp;This could enable an authenticated attacker to view sensitive data.\u003c/p\u003e"
                }
              ],
              "value": "The HCL DominoIQ RAG feature is\u00a0affected by\u00a0a Broken Access Control vulnerability. \u00a0Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. \u00a0This could enable an authenticated attacker to view sensitive data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-20T13:37:47.679Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130932"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL DominoIQ is affected by broken access control",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-21836",
        "datePublished": "2026-05-20T13:37:47.679Z",
        "dateReserved": "2026-01-05T16:08:25.000Z",
        "dateUpdated": "2026-05-21T14:00:30.209Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56460 (GCVE-0-2026-56460)

    Vulnerability from cvelistv5 – Published: 2026-07-09 09:09 – Updated: 2026-07-09 12:23
    VLAI
    Title
    HCL DevOps Deploy / HCL Launch is susceptible to an Insertion of Sensitive Information Into Sent Data vulnerability
    Summary
    HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of sensitive information into sent data
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware HCL DevOps Deploy / HCL Launch Affected: 7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0
    Create a notification for this product.
    Date Public
    2026-07-09 09:09
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56460",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T12:23:04.961787Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T12:23:15.700Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "HCL DevOps Deploy / HCL Launch",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2026-07-09T09:09:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system.\u003c/p\u003e"
                }
              ],
              "value": "HCL DevOps Deploy / HCL Launch could disclose sensitive configurations and secrets to authenticated users in API responses that could be used in further attacks against the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201 Insertion of sensitive information into sent data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T09:09:42.386Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131697"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL DevOps Deploy / HCL Launch is susceptible to an Insertion of Sensitive Information Into Sent Data vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-56460",
        "datePublished": "2026-07-09T09:09:42.386Z",
        "dateReserved": "2026-06-22T13:38:32.650Z",
        "dateUpdated": "2026-07-09T12:23:15.700Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56458 (GCVE-0-2026-56458)

    Vulnerability from cvelistv5 – Published: 2026-07-09 08:51 – Updated: 2026-07-09 12:34
    VLAI
    Title
    HCL DevOps Deploy is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains
    Summary
    HCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-942 - Permissive cross-domain security policy with untrusted domains
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware HCL DevOps Deploy Affected: 8.1-8.1.2.6, 8.2-8.2.1.0
    Create a notification for this product.
    Date Public
    2026-07-09 08:50
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56458",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T12:34:18.620355Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T12:34:23.917Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "HCL DevOps Deploy",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1-8.1.2.6, 8.2-8.2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2026-07-09T08:50:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.\u003c/p\u003e"
                }
              ],
              "value": "HCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-942",
                  "description": "CWE-942 Permissive cross-domain security policy with untrusted domains",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T08:51:07.571Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131695"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL DevOps Deploy is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-56458",
        "datePublished": "2026-07-09T08:51:07.571Z",
        "dateReserved": "2026-06-22T13:38:32.649Z",
        "dateUpdated": "2026-07-09T12:34:23.917Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56459 (GCVE-0-2026-56459)

    Vulnerability from cvelistv5 – Published: 2026-07-09 08:25 – Updated: 2026-07-09 12:37
    VLAI
    Title
    HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure
    Summary
    HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure.  The application stores potentially sensitive information in log files that could be read by a local user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of sensitive information into log file
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware HCL DevOps Deploy / HCL Launch Affected: 7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0
    Create a notification for this product.
    Date Public
    2026-07-09 08:25
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56459",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T12:37:02.972180Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T12:37:09.372Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "HCL DevOps Deploy / HCL Launch",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2026-07-09T08:25:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure. \u0026nbsp;The application stores potentially sensitive information in log files that could be read by a local user.\u003c/p\u003e"
                }
              ],
              "value": "HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure. \u00a0The application stores potentially sensitive information in log files that could be read by a local user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of sensitive information into log file",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T08:25:50.779Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131696"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-56459",
        "datePublished": "2026-07-09T08:25:50.779Z",
        "dateReserved": "2026-06-22T13:38:32.650Z",
        "dateUpdated": "2026-07-09T12:37:09.372Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56457 (GCVE-0-2026-56457)

    Vulnerability from cvelistv5 – Published: 2026-06-29 13:18 – Updated: 2026-06-29 13:58
    VLAI
    Title
    HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information
    Summary
    HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of sensitive information into log file
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware HCL DevOps Deploy / HCL Launch Affected: 7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0
    Create a notification for this product.
    Date Public
    2026-06-29 13:18
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56457",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:58:36.273301Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:58:43.773Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "HCL DevOps Deploy / HCL Launch",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0"
                }
              ]
            }
          ],
          "datePublic": "2026-06-29T13:18:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.\u003c/p\u003e"
                }
              ],
              "value": "HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of sensitive information into log file",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-29T13:18:59.104Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131694"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-56457",
        "datePublished": "2026-06-29T13:18:59.104Z",
        "dateReserved": "2026-06-22T13:38:32.649Z",
        "dateUpdated": "2026-06-29T13:58:43.773Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59868 (GCVE-0-2025-59868)

    Vulnerability from cvelistv5 – Published: 2026-06-27 01:43 – Updated: 2026-06-29 13:54
    VLAI
    Title
    HCL Traveler for Microsoft Outlook (HTMO) is susceptible to sensitive data exposure
    Summary
    HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then attempt additional attacks and cause unknown behavior in the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of sensitive information into log file
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-27 01:43
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59868",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:54:10.444124Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:54:24.746Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Traveler for Microsoft Outlook",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c3.0.15"
                }
              ]
            }
          ],
          "datePublic": "2026-06-27T01:43:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then attempt additional attacks and cause unknown behavior in the application.\u003c/p\u003e"
                }
              ],
              "value": "HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then attempt additional attacks and cause unknown behavior in the application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532 Insertion of sensitive information into log file",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-27T01:43:37.532Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131419"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Traveler for Microsoft Outlook (HTMO) is susceptible to sensitive data exposure",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2025-59868",
        "datePublished": "2026-06-27T01:43:37.532Z",
        "dateReserved": "2025-09-22T15:00:11.102Z",
        "dateUpdated": "2026-06-29T13:54:24.746Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-37524 (GCVE-0-2023-37524)

    Vulnerability from cvelistv5 – Published: 2026-06-27 01:19 – Updated: 2026-06-29 13:21
    VLAI
    Title
    HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service
    Summary
    HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service.  Since .NET Framework 4.5 has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses through vulnerable third-party components.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1104 - Use of unmaintained third party components
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-27 01:19
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-37524",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:20:59.878251Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:21:14.982Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Traveler for Microsoft Outlook",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c3.0.6"
                }
              ]
            }
          ],
          "datePublic": "2026-06-27T01:19:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eHCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. \u0026nbsp;Since .NET Framework 4.5 has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses through vulnerable third-party components.\u0026nbsp;\u003c/p\u003e"
                }
              ],
              "value": "HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. \u00a0Since .NET Framework 4.5 has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses through vulnerable third-party components."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1104",
                  "description": "CWE-1104 Use of unmaintained third party components",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-27T01:30:26.731Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131418"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2023-37524",
        "datePublished": "2026-06-27T01:19:30.265Z",
        "dateReserved": "2023-07-06T16:12:30.393Z",
        "dateUpdated": "2026-06-29T13:21:14.982Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-23581 (GCVE-0-2024-23581)

    Vulnerability from cvelistv5 – Published: 2026-06-26 20:39 – Updated: 2026-06-29 13:19
    VLAI
    Title
    HCL Traveler for Microsoft Outlook (HTMO) is susceptible to an application modification vulnerability
    Summary
    The HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper verification of cryptographic signature
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-26 20:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23581",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-29T13:19:14.119142Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-29T13:19:20.629Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Traveler for Microsoft Outlook",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.0.9"
                }
              ]
            }
          ],
          "datePublic": "2026-06-26T20:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application.\u003c/p\u003e"
                }
              ],
              "value": "The HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347 Improper verification of cryptographic signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T23:23:17.558Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131417"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Traveler for Microsoft Outlook (HTMO) is susceptible to an application modification vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2024-23581",
        "datePublished": "2026-06-26T20:39:48.964Z",
        "dateReserved": "2024-01-18T07:30:10.661Z",
        "dateUpdated": "2026-06-29T13:19:20.629Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15619 (GCVE-0-2025-15619)

    Vulnerability from cvelistv5 – Published: 2026-06-23 15:17 – Updated: 2026-06-23 15:46
    VLAI
    Title
    HCL Connections is vulnerable to broken access control
    Summary
    HCL Connections contains a broken access control vulnerability that may allow an unauthorized user to view data in a single specific scenario.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper access control
    • CWE-319 - Cleartext transmission of sensitive information
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware Connections Affected: 7.0, 8.0
    Create a notification for this product.
    Date Public
    2026-06-23 15:17
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15619",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T15:46:45.426418Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T15:46:52.076Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Connections",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "7.0, 8.0"
                }
              ]
            }
          ],
          "datePublic": "2026-06-23T15:17:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "HCL Connections contains a broken access control vulnerability that may allow an unauthorized user to view data in a single specific scenario."
                }
              ],
              "value": "HCL Connections contains a broken access control vulnerability that may allow an unauthorized user to view data in a single specific scenario."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284  Improper access control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319 Cleartext transmission of sensitive information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-23T15:17:29.534Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130163"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Connections is vulnerable to broken access control",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2025-15619",
        "datePublished": "2026-06-23T15:17:29.534Z",
        "dateReserved": "2026-04-01T15:59:36.219Z",
        "dateUpdated": "2026-06-23T15:46:52.076Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21768 (GCVE-0-2026-21768)

    Vulnerability from cvelistv5 – Published: 2026-06-19 14:50 – Updated: 2026-06-22 19:36
    VLAI
    Title
    HCL Verse for Android is susceptible to an injection vulnerability
    Summary
    The compose-rich-editor library (v1.0.0-rc14) used in HCL Verse for Android's rich text email composition fails to properly validate all HTML input thereby allowing malicious content to be executed in certain situations.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper input validation
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-19 14:44
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21768",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T19:36:14.172439Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T19:36:21.238Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Verse for Android",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "14.5.10"
                }
              ]
            }
          ],
          "datePublic": "2026-06-19T14:44:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The compose-rich-editor library (v1.0.0-rc14) used in HCL Verse for Android\u0027s rich text email composition fails to properly validate all HTML input thereby allowing malicious content to be executed in certain situations."
                }
              ],
              "value": "The compose-rich-editor library (v1.0.0-rc14) used in HCL Verse for Android\u0027s rich text email composition fails to properly validate all HTML input thereby allowing malicious content to be executed in certain situations."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper input validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-19T14:50:02.931Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130866"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Verse for Android is susceptible to an injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-21768",
        "datePublished": "2026-06-19T14:50:02.931Z",
        "dateReserved": "2026-01-05T16:07:58.367Z",
        "dateUpdated": "2026-06-22T19:36:21.238Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21825 (GCVE-0-2026-21825)

    Vulnerability from cvelistv5 – Published: 2026-06-05 06:03 – Updated: 2026-06-09 14:38
    VLAI
    Title
    HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center
    Summary
    HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center.  An attacker could execute arbitrary JavaScript in the victim's browser.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-05 05:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21825",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T13:28:16.871212Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T14:38:04.092Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "DX Compose",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "9.5"
                }
              ]
            }
          ],
          "datePublic": "2026-06-05T05:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center.\u0026nbsp; An attacker could execute arbitrary JavaScript in the victim\u0027s browser."
                }
              ],
              "value": "HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center.\u00a0 An attacker could execute arbitrary JavaScript in the victim\u0027s browser."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T06:03:11.053Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130849"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-21825",
        "datePublished": "2026-06-05T06:03:11.053Z",
        "dateReserved": "2026-01-05T16:08:22.254Z",
        "dateUpdated": "2026-06-09T14:38:04.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21826 (GCVE-0-2026-21826)

    Vulnerability from cvelistv5 – Published: 2026-06-05 05:58 – Updated: 2026-06-09 14:38
    VLAI
    Title
    HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection
    Summary
    HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection.  An attacker can manipulate the Host header and cause the application to behave in unexpected ways.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL redirection to untrusted site ('open redirect')
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-05 05:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21826",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T13:28:00.599027Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T14:38:10.191Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Digital Experience \u0026 DX Compose",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "9.5"
                }
              ]
            }
          ],
          "datePublic": "2026-06-05T05:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. \u0026nbsp;An attacker can manipulate the Host header\u0026nbsp;and cause the application to behave in unexpected ways."
                }
              ],
              "value": "HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. \u00a0An attacker can manipulate the Host header\u00a0and cause the application to behave in unexpected ways."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL redirection to untrusted site (\u0027open redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T05:58:31.449Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130849"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-21826",
        "datePublished": "2026-06-05T05:58:31.449Z",
        "dateReserved": "2026-01-05T16:08:22.255Z",
        "dateUpdated": "2026-06-09T14:38:10.191Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21837 (GCVE-0-2026-21837)

    Vulnerability from cvelistv5 – Published: 2026-06-05 05:50 – Updated: 2026-06-09 14:38
    VLAI
    Title
    HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API
    Summary
    HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API.  An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-05 05:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21837",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T13:22:58.176587Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T14:38:17.102Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Digital Experience",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "9.5"
                }
              ]
            }
          ],
          "datePublic": "2026-06-05T05:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API.\u0026nbsp; An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise."
                }
              ],
              "value": "HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API.\u00a0 An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T05:50:58.161Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130849"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-21837",
        "datePublished": "2026-06-05T05:50:58.161Z",
        "dateReserved": "2026-01-05T16:08:25.000Z",
        "dateUpdated": "2026-06-09T14:38:17.102Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62338 (GCVE-0-2025-62338)

    Vulnerability from cvelistv5 – Published: 2026-06-04 12:41 – Updated: 2026-06-05 04:44
    VLAI
    Title
    HCL BigFix Cloud Lifecycle Management is affected by lack of input validation
    Summary
    HCL BigFix Cloud Lifecycle Management is affected by lack of input validation.  This low-level flaw allows unauthorized access and may lead to information exposure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE 200 Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    HCL
    Impacted products
    Date Public
    2026-06-04 17:25
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62338",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-04T13:54:16.690696Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T13:54:44.254Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "BigFix Cloud Lifecycle Management",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "10.9.1 and 10.9.2"
                }
              ]
            }
          ],
          "datePublic": "2026-06-04T17:25:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "HCL BigFix Cloud Lifecycle Management is affected by lack of input validation.\u0026nbsp; This low-level flaw allows unauthorized access and may lead to information exposure."
                }
              ],
              "value": "HCL BigFix Cloud Lifecycle Management is affected by lack of input validation.\u00a0 This low-level flaw allows unauthorized access and may lead to information exposure."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE 200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T04:44:15.623Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130802"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL BigFix Cloud Lifecycle Management is affected by lack of input validation",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2025-62338",
        "datePublished": "2026-06-04T12:41:38.302Z",
        "dateReserved": "2025-10-10T09:04:27.770Z",
        "dateUpdated": "2026-06-05T04:44:15.623Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21785 (GCVE-0-2026-21785)

    Vulnerability from cvelistv5 – Published: 2026-05-27 20:15 – Updated: 2026-05-28 13:13
    VLAI
    Title
    HCL BigFix Remote Control Server WebUI is affected by a misconfigured Content Security Policy
    Summary
    A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1021 - Improper restriction of rendered UI layers or frames
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware BigFix Remote Control Server Affected: <= versions 10.1.0.0442
    Create a notification for this product.
    Date Public
    2026-05-27 20:15
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21785",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T13:12:44.221065Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T13:13:55.021Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "BigFix Remote Control Server",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= versions 10.1.0.0442"
                }
              ]
            }
          ],
          "datePublic": "2026-05-27T20:15:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources."
                }
              ],
              "value": "A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1021",
                  "description": "CWE-1021 Improper restriction of rendered UI layers or frames",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T20:15:56.441Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130581"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL BigFix Remote Control Server WebUI is affected by a misconfigured Content Security Policy",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-21785",
        "datePublished": "2026-05-27T20:15:56.441Z",
        "dateReserved": "2026-01-05T16:08:02.276Z",
        "dateUpdated": "2026-05-28T13:13:55.021Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21836 (GCVE-0-2026-21836)

    Vulnerability from cvelistv5 – Published: 2026-05-20 13:37 – Updated: 2026-05-21 14:00
    VLAI
    Title
    HCL DominoIQ is affected by broken access control
    Summary
    The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view sensitive data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    HCL
    Impacted products
    Vendor Product Version
    HCLSoftware DominoIQ Affected: 14.5.1
    Create a notification for this product.
    Date Public
    2026-05-20 13:36
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21836",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T14:00:19.829635Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T14:00:30.209Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "DominoIQ",
              "vendor": "HCLSoftware",
              "versions": [
                {
                  "status": "affected",
                  "version": "14.5.1"
                }
              ]
            }
          ],
          "datePublic": "2026-05-20T13:36:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe HCL DominoIQ RAG feature is\u0026nbsp;affected by\u0026nbsp;a Broken Access Control vulnerability. \u0026nbsp;Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. \u0026nbsp;This could enable an authenticated attacker to view sensitive data.\u003c/p\u003e"
                }
              ],
              "value": "The HCL DominoIQ RAG feature is\u00a0affected by\u00a0a Broken Access Control vulnerability. \u00a0Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. \u00a0This could enable an authenticated attacker to view sensitive data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-20T13:37:47.679Z",
            "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
            "shortName": "HCL"
          },
          "references": [
            {
              "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130932"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HCL DominoIQ is affected by broken access control",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "assignerShortName": "HCL",
        "cveId": "CVE-2026-21836",
        "datePublished": "2026-05-20T13:37:47.679Z",
        "dateReserved": "2026-01-05T16:08:25.000Z",
        "dateUpdated": "2026-05-21T14:00:30.209Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }