HCL Software
Products
79- 33 CVEs
- 32 CVEs
- 26 CVEs
- 24 CVEs
- 18 CVEs
- 17 CVEs
- 14 CVEs
- 12 CVEs
- 12 CVEs
- 10 CVEs
- 8 CVEs
- 8 CVEs
- 8 CVEs
- 7 CVEs
- 7 CVEs
- 6 CVEs
- 6 CVEs
- 6 CVEs
- 6 CVEs
- 6 CVEs
- 6 CVEs
- 5 CVEs
- 5 CVEs
- 5 CVEs
- 5 CVEs
- 5 CVEs
- 5 CVEs
- 5 CVEs
- 5 CVEs
- 4 CVEs
- View all 79 products →
Recent CVEs
380| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-62319 | Cri | 0.64 | 9.8 | 0.00 | Mar 16, 2026 | Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently… | ||
| CVE-2025-31951 | Hig | 0.57 | 8.8 | 0.00 | May 6, 2026 | HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution. | ||
| CVE-2026-21821 | Hig | 0.54 | 8.3 | 0.00 | May 13, 2026 | The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses and increase the risk… | ||
| CVE-2025-59874 | Hig | 0.53 | 8.1 | 0.00 | Jun 4, 2026 | HCL Hive Telco Observability is affected by a Required directives missing from the CSP issue is detected in keycloak component of the web application. Missing essential directives can leave a site vulnerable. | ||
| CVE-2025-55278 | Hig | 0.53 | 8.1 | 0.00 | Nov 5, 2025 | Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to… | ||
| CVE-2025-31965 | Hig | 0.53 | 8.2 | 0.00 | Jul 29, 2025 | Improper access restrictions in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0248 and lower) allow non-admin users to view unauthorized information on certain web pages. | ||
| CVE-2021-47970 | Hig | 0.49 | 7.5 | 0.00 | May 16, 2026 | Macaron Notes 5.5 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can generate a payload containing 350000 repeated characters and paste it into a note field to trigger… | ||
| CVE-2025-0280 | Hig | 0.49 | 7.5 | 0.00 | Sep 3, 2025 | A security vulnerability in HCL Compass can allow attacker to gain unauthorized database access. | ||
| CVE-2025-52612 | Hig | 0.46 | 7.1 | 0.00 | Jun 4, 2026 | HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. . | ||
| CVE-2025-31991 | Med | 0.44 | 6.8 | 0.00 | Apr 13, 2026 | Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit. This vulnerability is fixed in 5.1.7. | ||
| CVE-2025-62346 | Med | 0.44 | 6.8 | 0.00 | Nov 20, 2025 | A Cross-Site Request Forgery (CSRF) vulnerability was identified in HCL Glovius Cloud. An attacker can force a user's web browser to execute an unwanted, malicious action on a trusted site where the user is authenticated, specifically on one endpoint. | ||
| CVE-2024-23589 | Med | 0.44 | 6.8 | 0.00 | May 30, 2025 | Due to outdated Hash algorithm, HCL Glovius Cloud could allow attackers to guess the input data using brute-force or dictionary attacks efficiently using modern hardware such as GPUs or ASICs | ||
| CVE-2024-23584 | Med | 0.43 | 6.6 | 0.00 | Apr 8, 2024 | The NMAP Importer service may expose data store credentials to authorized users of the Windows Registry. | ||
| CVE-2026-21836 | Med | 0.42 | 6.5 | 0.00 | May 20, 2026 | The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability. Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. This could enable an authenticated attacker to view… | ||
| CVE-2024-23580 | Med | 0.42 | 6.5 | 0.00 | May 28, 2024 | HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of One-Time Passwords (OTPs). This could allow an attacker with access to the database to recover some or all encrypted values. | ||
| CVE-2024-23579 | Med | 0.42 | 6.5 | 0.00 | May 28, 2024 | HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of security questions. This could allow an attacker with access to the database to recover some or all encrypted values. | ||
| CVE-2023-37526 | Med | 0.42 | 6.5 | 0.00 | May 14, 2024 | HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning… | ||
| CVE-2026-21826 | Med | 0.40 | 6.1 | 0.00 | Jun 5, 2026 | HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. An attacker can manipulate the Host header and cause the application to behave in unexpected ways. | ||
| CVE-2025-52647 | Med | 0.40 | 6.1 | 0.00 | Oct 10, 2025 | The BigFix WebUI application responds with HOST information from the HTTP header field making it vulnerable to Host Header Poisoning Attacks. | ||
| CVE-2025-59873 | Med | 0.38 | 5.9 | 0.00 | Feb 23, 2026 | An information exposure vulnerability exists in Vulnerability in HCL Software ZIE for Web. The application transmits sensitive session tokens and authentication identifiers within the URL query parameters . An attacker who gains access to any network log or operates a site… |
- risk 0.64cvss 9.8epss 0.00
Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently…
- risk 0.57cvss 8.8epss 0.00
HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.
- risk 0.54cvss 8.3epss 0.00
The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses and increase the risk…
- risk 0.53cvss 8.1epss 0.00
HCL Hive Telco Observability is affected by a Required directives missing from the CSP issue is detected in keycloak component of the web application. Missing essential directives can leave a site vulnerable.
- risk 0.53cvss 8.1epss 0.00
Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to…
- risk 0.53cvss 8.2epss 0.00
Improper access restrictions in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0248 and lower) allow non-admin users to view unauthorized information on certain web pages.
- risk 0.49cvss 7.5epss 0.00
Macaron Notes 5.5 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can generate a payload containing 350000 repeated characters and paste it into a note field to trigger…
- risk 0.49cvss 7.5epss 0.00
A security vulnerability in HCL Compass can allow attacker to gain unauthorized database access.
- risk 0.46cvss 7.1epss 0.00
HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .
- risk 0.44cvss 6.8epss 0.00
Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit. This vulnerability is fixed in 5.1.7.
- risk 0.44cvss 6.8epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability was identified in HCL Glovius Cloud. An attacker can force a user's web browser to execute an unwanted, malicious action on a trusted site where the user is authenticated, specifically on one endpoint.
- risk 0.44cvss 6.8epss 0.00
Due to outdated Hash algorithm, HCL Glovius Cloud could allow attackers to guess the input data using brute-force or dictionary attacks efficiently using modern hardware such as GPUs or ASICs
- risk 0.43cvss 6.6epss 0.00
The NMAP Importer service may expose data store credentials to authorized users of the Windows Registry.
- risk 0.42cvss 6.5epss 0.00
The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability. Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. This could enable an authenticated attacker to view…
- risk 0.42cvss 6.5epss 0.00
HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of One-Time Passwords (OTPs). This could allow an attacker with access to the database to recover some or all encrypted values.
- risk 0.42cvss 6.5epss 0.00
HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of security questions. This could allow an attacker with access to the database to recover some or all encrypted values.
- risk 0.42cvss 6.5epss 0.00
HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning…
- risk 0.40cvss 6.1epss 0.00
HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. An attacker can manipulate the Host header and cause the application to behave in unexpected ways.
- risk 0.40cvss 6.1epss 0.00
The BigFix WebUI application responds with HOST information from the HTTP header field making it vulnerable to Host Header Poisoning Attacks.
- risk 0.38cvss 5.9epss 0.00
An information exposure vulnerability exists in Vulnerability in HCL Software ZIE for Web. The application transmits sensitive session tokens and authentication identifiers within the URL query parameters . An attacker who gains access to any network log or operates a site…