Digital Experience
by HCL Software
CVEs (14)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-21826 | Med | 0.40 | 6.1 | — | Jun 5, 2026 | HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. An attacker can manipulate the Host header and cause the application to behave in unexpected ways. | ||
| CVE-2025-0254 | Med | 0.38 | 5.9 | 0.00 | Mar 20, 2025 | HCL Digital Experience components Ring API and dxclient may be vulnerable to man-in-the-middle (MitM) attacks prior to 9.5 CF226. An attacker could intercept and potentially alter communication between two parties. | ||
| CVE-2025-62326 | 0.00 | — | 0.00 | Feb 20, 2026 | HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which would require elevated privileges to exploit. | |||
| CVE-2025-31988 | 0.00 | — | 0.00 | Aug 19, 2025 | HCL Digital Experience is susceptible to cross site scripting (XSS) in an administrative UI with restricted access. | |||
| CVE-2023-37538 | 0.00 | — | 0.00 | Oct 11, 2023 | HCL Digital Experience is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted URL from some delivery mechanism (email, other web site). | |||
| CVE-2022-38653 | 0.00 | — | 0.00 | Dec 15, 2022 | In HCL Digital Experience, customized XSS payload can be constructed such that it is served in the application unencoded. | |||
| CVE-2022-38662 | 0.00 | — | 0.00 | Dec 15, 2022 | In HCL Digital Experience, URLs can be constructed to redirect users to untrusted sites. | |||
| CVE-2021-27774 | 0.00 | — | 0.00 | Sep 22, 2022 | User input included in error response, which could be used in a phishing attack. | |||
| CVE-2020-4081 | 0.00 | — | 0.00 | Feb 2, 2021 | In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS). | |||
| CVE-2020-14255 | 0.00 | — | 0.00 | Feb 2, 2021 | HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. These affect containers only. These do not affect traditional on-premise installations. | |||
| CVE-2020-14221 | 0.00 | — | 0.00 | Feb 2, 2021 | HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users. | |||
| CVE-2020-14222 | 0.00 | — | 0.00 | Nov 5, 2020 | HCL Digital Experience 8.5, 9.0, 9.5 is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted URL from some delivery mechanism (email, other web site). | |||
| CVE-2020-14223 | 0.00 | — | 0.00 | Oct 1, 2020 | HCL Digital Experience 8.5, 9.0, 9.5 is susceptible to cross-site scripting (XSS). The vulnerability could be employed in a reflected or non-persistent XSS attack. | |||
| CVE-2020-4101 | 0.00 | — | 0.00 | Jun 11, 2020 | "HCL Digital Experience is susceptible to Server Side Request Forgery." |
- risk 0.40cvss 6.1epss —
HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. An attacker can manipulate the Host header and cause the application to behave in unexpected ways.
- risk 0.38cvss 5.9epss 0.00
HCL Digital Experience components Ring API and dxclient may be vulnerable to man-in-the-middle (MitM) attacks prior to 9.5 CF226. An attacker could intercept and potentially alter communication between two parties.
- CVE-2025-62326Feb 20, 2026risk 0.00cvss —epss 0.00
HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which would require elevated privileges to exploit.
- CVE-2025-31988Aug 19, 2025risk 0.00cvss —epss 0.00
HCL Digital Experience is susceptible to cross site scripting (XSS) in an administrative UI with restricted access.
- CVE-2023-37538Oct 11, 2023risk 0.00cvss —epss 0.00
HCL Digital Experience is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted URL from some delivery mechanism (email, other web site).
- CVE-2022-38653Dec 15, 2022risk 0.00cvss —epss 0.00
In HCL Digital Experience, customized XSS payload can be constructed such that it is served in the application unencoded.
- CVE-2022-38662Dec 15, 2022risk 0.00cvss —epss 0.00
In HCL Digital Experience, URLs can be constructed to redirect users to untrusted sites.
- CVE-2021-27774Sep 22, 2022risk 0.00cvss —epss 0.00
User input included in error response, which could be used in a phishing attack.
- CVE-2020-4081Feb 2, 2021risk 0.00cvss —epss 0.00
In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS).
- CVE-2020-14255Feb 2, 2021risk 0.00cvss —epss 0.00
HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. These affect containers only. These do not affect traditional on-premise installations.
- CVE-2020-14221Feb 2, 2021risk 0.00cvss —epss 0.00
HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users.
- CVE-2020-14222Nov 5, 2020risk 0.00cvss —epss 0.00
HCL Digital Experience 8.5, 9.0, 9.5 is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted URL from some delivery mechanism (email, other web site).
- CVE-2020-14223Oct 1, 2020risk 0.00cvss —epss 0.00
HCL Digital Experience 8.5, 9.0, 9.5 is susceptible to cross-site scripting (XSS). The vulnerability could be employed in a reflected or non-persistent XSS attack.
- CVE-2020-4101Jun 11, 2020risk 0.00cvss —epss 0.00
"HCL Digital Experience is susceptible to Server Side Request Forgery."