VYPR
Vendor

HCL Software

Products
79
CVEs
380
Across products
316
Status
Private

Products

79
View all 79 products →

Recent CVEs

380
View all 380 CVEs →
  • CVE-2025-62319CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.00

    Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently…

  • CVE-2025-31951HigMay 6, 2026
    risk 0.57cvss 8.8epss 0.00

    HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.

  • CVE-2026-21821HigMay 13, 2026
    risk 0.54cvss 8.3epss 0.00

    The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses and increase the risk…

  • CVE-2025-59874HigJun 4, 2026
    risk 0.53cvss 8.1epss 0.00

    HCL Hive Telco Observability is affected by  a Required directives missing from the CSP issue is detected in keycloak component of the web application. Missing essential directives can leave a site vulnerable.

  • CVE-2025-55278HigNov 5, 2025
    risk 0.53cvss 8.1epss 0.00

    Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to…

  • CVE-2025-31965HigJul 29, 2025
    risk 0.53cvss 8.2epss 0.00

    Improper access restrictions in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0248 and lower) allow non-admin users to view unauthorized information on certain web pages.

  • CVE-2021-47970HigMay 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Macaron Notes 5.5 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can generate a payload containing 350000 repeated characters and paste it into a note field to trigger…

  • CVE-2025-0280HigSep 3, 2025
    risk 0.49cvss 7.5epss 0.00

    A security vulnerability in HCL Compass can allow attacker to gain unauthorized database access.

  • CVE-2025-52612HigJun 4, 2026
    risk 0.46cvss 7.1epss 0.00

    HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .

  • CVE-2025-31991MedApr 13, 2026
    risk 0.44cvss 6.8epss 0.00

    Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.  This vulnerability is fixed in 5.1.7.

  • CVE-2025-62346MedNov 20, 2025
    risk 0.44cvss 6.8epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability was identified in HCL Glovius Cloud. An attacker can force a user's web browser to execute an unwanted, malicious action on a trusted site where the user is authenticated, specifically on one endpoint.

  • CVE-2024-23589MedMay 30, 2025
    risk 0.44cvss 6.8epss 0.00

    Due to outdated Hash algorithm, HCL Glovius Cloud could allow attackers to guess the input data using brute-force or dictionary attacks efficiently using modern hardware such as GPUs or ASICs

  • CVE-2024-23584MedApr 8, 2024
    risk 0.43cvss 6.6epss 0.00

    The NMAP Importer service​ may expose data store credentials to authorized users of the Windows Registry.

  • CVE-2026-21836MedMay 20, 2026
    risk 0.42cvss 6.5epss 0.00

    The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view…

  • CVE-2024-23580MedMay 28, 2024
    risk 0.42cvss 6.5epss 0.00

    HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of One-Time Passwords (OTPs). This could allow an attacker with access to the database to recover some or all encrypted values.

  • CVE-2024-23579MedMay 28, 2024
    risk 0.42cvss 6.5epss 0.00

    HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of security questions. This could allow an attacker with access to the database to recover some or all encrypted values.

  • CVE-2023-37526MedMay 14, 2024
    risk 0.42cvss 6.5epss 0.00

    HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning…

  • CVE-2026-21826MedJun 5, 2026
    risk 0.40cvss 6.1epss 0.00

    HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection.  An attacker can manipulate the Host header and cause the application to behave in unexpected ways.

  • CVE-2025-52647MedOct 10, 2025
    risk 0.40cvss 6.1epss 0.00

    The BigFix WebUI application responds with HOST information from the HTTP header field making it vulnerable to Host Header Poisoning Attacks.

  • CVE-2025-59873MedFeb 23, 2026
    risk 0.38cvss 5.9epss 0.00

    An information exposure vulnerability exists in Vulnerability in HCL Software ZIE for Web. The application transmits sensitive session tokens and authentication identifiers within the URL query parameters . An attacker who gains access to any network log or operates a site…