VYPR

Vendor CVEs

HCL Software

All CVEs

380 total · sorted by risk
  • CVE-2025-62319CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.00

    Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently…

  • CVE-2025-31951HigMay 6, 2026
    risk 0.57cvss 8.8epss 0.00

    HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.

  • CVE-2026-21821HigMay 13, 2026
    risk 0.54cvss 8.3epss 0.00

    The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses and increase the risk…

  • CVE-2025-59874HigJun 4, 2026
    risk 0.53cvss 8.1epss 0.00

    HCL Hive Telco Observability is affected by  a Required directives missing from the CSP issue is detected in keycloak component of the web application. Missing essential directives can leave a site vulnerable.

  • CVE-2025-55278HigNov 5, 2025
    risk 0.53cvss 8.1epss 0.00

    Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to…

  • CVE-2025-31965HigJul 29, 2025
    risk 0.53cvss 8.2epss 0.00

    Improper access restrictions in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0248 and lower) allow non-admin users to view unauthorized information on certain web pages.

  • CVE-2021-47970HigMay 16, 2026
    risk 0.49cvss 7.5epss 0.00

    Macaron Notes 5.5 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can generate a payload containing 350000 repeated characters and paste it into a note field to trigger…

  • CVE-2025-0280HigSep 3, 2025
    risk 0.49cvss 7.5epss 0.00

    A security vulnerability in HCL Compass can allow attacker to gain unauthorized database access.

  • CVE-2025-52612HigJun 4, 2026
    risk 0.46cvss 7.1epss 0.00

    HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .

  • CVE-2025-31991MedApr 13, 2026
    risk 0.44cvss 6.8epss 0.00

    Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.  This vulnerability is fixed in 5.1.7.

  • CVE-2025-62346MedNov 20, 2025
    risk 0.44cvss 6.8epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability was identified in HCL Glovius Cloud. An attacker can force a user's web browser to execute an unwanted, malicious action on a trusted site where the user is authenticated, specifically on one endpoint.

  • CVE-2024-23589MedMay 30, 2025
    risk 0.44cvss 6.8epss 0.00

    Due to outdated Hash algorithm, HCL Glovius Cloud could allow attackers to guess the input data using brute-force or dictionary attacks efficiently using modern hardware such as GPUs or ASICs

  • CVE-2024-23584MedApr 8, 2024
    risk 0.43cvss 6.6epss 0.00

    The NMAP Importer service​ may expose data store credentials to authorized users of the Windows Registry.

  • CVE-2026-21836MedMay 20, 2026
    risk 0.42cvss 6.5epss 0.00

    The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view…

  • CVE-2024-23580MedMay 28, 2024
    risk 0.42cvss 6.5epss 0.00

    HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of One-Time Passwords (OTPs). This could allow an attacker with access to the database to recover some or all encrypted values.

  • CVE-2024-23579MedMay 28, 2024
    risk 0.42cvss 6.5epss 0.00

    HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of security questions. This could allow an attacker with access to the database to recover some or all encrypted values.

  • CVE-2023-37526MedMay 14, 2024
    risk 0.42cvss 6.5epss 0.00

    HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning…

  • CVE-2026-21826MedJun 5, 2026
    risk 0.40cvss 6.1epss 0.00

    HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection.  An attacker can manipulate the Host header and cause the application to behave in unexpected ways.

  • CVE-2025-52647MedOct 10, 2025
    risk 0.40cvss 6.1epss 0.00

    The BigFix WebUI application responds with HOST information from the HTTP header field making it vulnerable to Host Header Poisoning Attacks.

  • CVE-2025-59873MedFeb 23, 2026
    risk 0.38cvss 5.9epss 0.00

    An information exposure vulnerability exists in Vulnerability in HCL Software ZIE for Web. The application transmits sensitive session tokens and authentication identifiers within the URL query parameters . An attacker who gains access to any network log or operates a site…

  • CVE-2025-0254MedMar 20, 2025
    risk 0.38cvss 5.9epss 0.00

    HCL Digital Experience components Ring API and dxclient may be vulnerable to man-in-the-middle (MitM) attacks prior to 9.5 CF226. An attacker could intercept and potentially alter communication between two parties.

  • CVE-2024-42197MedDec 11, 2025
    risk 0.36cvss 5.5epss 0.00

    HCL Workload Scheduler stores user credentials in plain text which can be read by a local user.

  • CVE-2025-52622MedDec 2, 2025
    risk 0.35cvss 5.4epss 0.00

    The BigFix SaaS's HTTP responses were missing some security headers. The absence of these headers weakens the application's client-side security posture, making it more vulnerable to common web attacks that these headers are designed to mitigate, such as Cross-Site Scripting…

  • CVE-2025-31979MedAug 28, 2025
    risk 0.35cvss 5.4epss 0.00

    A File Upload Validation Bypass vulnerability has been identified in the HCL BigFix SM, where the application fails to properly enforce file type restrictions during the upload process. An attacker may exploit this flaw to upload malicious or unauthorized files, such as scripts,…

  • CVE-2024-42187MedJan 23, 2025
    risk 0.34cvss 5.3epss 0.00

    BigFix Patch Download Plug-ins are affected by path traversal vulnerability. The application could allow operators to download files from a local repository which is vulnerable to path traversal attacks.

  • CVE-2025-31971MedAug 28, 2025
    risk 0.33cvss 5.1epss 0.00

    AIML Solutions for HCL SX is vulnerable to a URL validation vulnerability.  The issue may allow attackers to launch a server-side request forgery (SSRF) attack enabling unauthorized network calls from the system, potentially exposing internal services or sensitive information.

  • CVE-2025-31992MedOct 12, 2025
    risk 0.30cvss 4.6epss 0.00

    HCL Unica MaxAI Assistant is susceptible to a HTML injection vulnerability. An attacker could insert special characters that are processed client-side in the context of the user's session.

  • CVE-2023-45707MedJun 8, 2024
    risk 0.29cvss 4.4epss 0.00

    HCL Connections Docs is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary code. This may lead to credentials disclosure and possibly launch additional attacks.

  • CVE-2025-52606MedJun 4, 2026
    risk 0.28cvss 4.3epss 0.00

    HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is…

  • CVE-2024-30143MedMar 13, 2025
    risk 0.28cvss 4.3epss 0.00

    HCL AppScan Traffic Recorder fails to adequately neutralize special characters within the filename, potentially allowing it to resolve to a location beyond the restricted directory. Potential exploits can completely disrupt or takeover the application or the computer where the…

  • CVE-2025-52602MedNov 5, 2025
    risk 0.27cvss 4.2epss 0.00

    HCL BigFix Query is affected by a sensitive information disclosure in the WebUI Query application.  An HTTP GET endpoint request returns discoverable responses that may disclose: group names, active user names (or IDs).  An attacker can use that information to target…

  • CVE-2026-21785MedMay 27, 2026
    risk 0.26cvss 4.0epss 0.00

    A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources.

  • CVE-2025-52609LowJun 4, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers.

  • CVE-2024-30119LowJun 14, 2024
    risk 0.24cvss 3.7epss 0.00

    HCL DRYiCE Optibot Reset Station is impacted by a missing Strict Transport Security Header.  This could allow an attacker to intercept or manipulate data during redirection.

  • CVE-2025-31995LowOct 13, 2025
    risk 0.23cvss 3.5epss 0.01

    HCL Unica MaxAI Workbench is vulnerable to improper input validation. This allows attackers to exploit vulnerabilities such as SQL Injection, XSS, or command injection, leading to unauthorized access or data breaches, etc.

  • CVE-2025-62338LowJun 4, 2026
    risk 0.21cvss 3.3epss 0.00

    HCL BigFix Cloud Lifecycle Management is affected by lack of input validation.  This low-level flaw allows unauthorized access and may lead to information exposure.

  • CVE-2026-21791LowMar 10, 2026
    risk 0.21cvss 3.3epss 0.00

    HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL

  • CVE-2025-52611LowJun 4, 2026
    risk 0.20cvss 3.1epss 0.00

    HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object…

  • CVE-2025-52608LowJun 4, 2026
    risk 0.20cvss 3.1epss 0.00

    HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.

  • CVE-2024-42206LowJun 2, 2026
    risk 0.20cvss 3.1epss 0.00

    HCL iReflection Third party vulnerable and outdated components issue was detected in the web application

  • CVE-2025-52655LowOct 10, 2025
    risk 0.20cvss 3.1epss 0.00

    Inclusion of Functionality from Untrusted Control Sphere vulnerability in HCL MyXalytics. v6.6 allows Loading third-party scripts without integrity checks or validation can allow external code run in the application's context, risking data exposure.

  • CVE-2024-30120LowJun 14, 2024
    risk 0.19cvss 2.9epss 0.00

    HCL DRYiCE Optibot Reset Station is impacted by an Unused Parameter in the web application.

  • CVE-2025-62345LowMay 6, 2026
    risk 0.18cvss 2.7epss 0.00

    HCL BigFix RunBookAI is affected by a Continued availability of Less-Secure “Input Text” Vulnerability . A component contains a security weakness in its input handling implementation, increasing the risk of misconfiguration and operational errors.

  • CVE-2024-42186LowJan 23, 2025
    risk 0.18cvss 2.8epss 0.00

    BigFix Patch Download Plug-ins are affected by an insecure protocol support. The application can allow improper handling of SSL certificates validation.

  • CVE-2024-42184LowJan 23, 2025
    risk 0.16cvss 2.5epss 0.00

    BigFix Patch Download Plug-ins are affected by insecure support for file URI scheme. It could allow a malicious operator to attempt to download files using the file:// URI scheme.

  • CVE-2024-42183LowJan 23, 2025
    risk 0.16cvss 2.5epss 0.00

    BigFix Patch Download Plug-ins are affected by an arbitrary file download vulnerability. It could allow a malicious operator to download files from arbitrary URLs without any proper validation or allowlist controls.

  • CVE-2024-42182LowJan 23, 2025
    risk 0.16cvss 2.5epss 0.00

    BigFix Patch Download Plug-ins are affected by Server-Side Request Forgery (SSRF) vulnerability. It may allow the application to download files from an internally hosted server on localhost.

  • CVE-2002-0370Oct 10, 2002
    risk 0.03cvss epss 0.43

    Buffer overflow in the ZIP capability for multiple products allows remote attackers to cause a denial of service or execute arbitrary code via ZIP files containing entries with long filenames, including (1) Microsoft Windows 98 with Plus! Pack, (2) Windows XP, (3) Windows ME,…

  • CVE-2005-2618Dec 31, 2005
    risk 0.01cvss epss 0.08

    Multiple stack-based buffer overflows in Autonomy (formerly Verity) KeyView SDK before 9.2.0, as used in Lotus Notes 6.5.4 and 7.0, allow remote attackers to execute arbitrary code via (1) a UUE file containing an encoded file with a long filename handled by uudrdr.dll, (2) a…

  • CVE-2026-21768Jun 19, 2026
    risk 0.00cvss epss 0.00

    The compose-rich-editor library (v1.0.0-rc14) used in HCL Verse for Android's rich text email composition fails to properly validate all HTML input thereby allowing malicious content to be executed in certain situations.

Page 1 of 8