Vendor
HCLTech
HCL Technologies Limited is an Indian multinational information technology (IT) consulting company headquartered in Noida, Uttar Pradesh. Founded by Shiv Nadar, it was spun out in 1991 when HCL entered into the software services business. The company has offices in 60 countries and over 220,000 employees. It is the third-largest India-headquartered IT services company by revenue and market capitalization as of 2024.
Founded 1991
Products
36
CVEs
55
Across products
83
Status
Private
Products
36- 29 CVEs
- 14 CVEs
- 5 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- + 6 more — see CVE list below for full coverage.
Recent CVEs
55| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-21765 | Hig | 0.57 | 8.8 | 0.00 | Apr 2, 2026 | HCL BigFix Platform is affected by insecure permissions on private cryptographic keys. The private cryptographic keys located on a Windows host machine might be subject to overly permissive file system permissions. | |
| CVE-2024-30151 | Hig | 0.54 | 8.3 | 0.00 | May 6, 2026 | HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or unauthorized system modifications | |
| CVE-2025-52650 | Hig | 0.53 | 8.2 | 0.00 | Oct 10, 2025 | Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0 | |
| CVE-2025-52632 | Med | 0.42 | 6.5 | 0.00 | Oct 10, 2025 | A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0. | |
| CVE-2025-52644 | Med | 0.38 | 5.8 | 0.00 | Mar 16, 2026 | HCL AION is affected by a vulnerability where certain user actions are not adequately audited or logged. The absence of proper auditing mechanisms may reduce traceability of user activities and could potentially impact monitoring, accountability, or incident investigation processes. | |
| CVE-2025-52627 | Med | 0.36 | 5.5 | 0.00 | Feb 3, 2026 | Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes.This issue affects AION: 2.0. | |
| CVE-2025-52624 | Med | 0.35 | 5.4 | 0.00 | Oct 10, 2025 | A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects AION: 2.0. | |
| CVE-2025-31960 | Med | 0.34 | 5.3 | 0.00 | May 6, 2026 | HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the application to trigger an unhandled exception. | |
| CVE-2025-31970 | Med | 0.34 | 5.3 | 0.00 | May 6, 2026 | HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS) | |
| CVE-2025-31981 | Med | 0.34 | 5.3 | 0.00 | Apr 21, 2026 | HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encryption due to port 80 (HTTP) being open, allowing unencrypted access. An attacker with access to the network traffic can sniff packets from the connection and uncover the data. | |
| CVE-2025-31976 | Med | 0.31 | 4.8 | 0.00 | May 6, 2026 | HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials for a short duration while communicating with a backend, internal application which could allow an attacker to potentially misuse them, if exfiltrated. . | |
| CVE-2025-62320 | Med | 0.31 | 4.7 | 0.00 | Mar 17, 2026 | HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external resources included in that HTML, which can cause unexpected requests from the user’s browser. | |
| CVE-2025-52643 | Med | 0.31 | 4.7 | 0.00 | Mar 16, 2026 | HCL AION is affected by a vulnerability where untrusted file parsing operations are not executed within a properly isolated sandbox environment. This may expose the application to potential security risks, including unintended behaviour or integrity impact when processing specially crafted files. | |
| CVE-2025-52613 | Med | 0.30 | 4.6 | 0.00 | May 6, 2026 | HCL BigFix Service Management (SM) is affected by use of a vulnerable WSGI Server was identified. Deploying an outdated or insecure WSGI server may expose the application to known security weaknesses, potentially increasing the risk of exploitation and unauthorized access. | |
| CVE-2025-31978 | Med | 0.30 | 4.6 | 0.00 | May 6, 2026 | HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content. | |
| CVE-2025-52628 | Med | 0.30 | 4.6 | 0.00 | Feb 3, 2026 | HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0. | |
| CVE-2025-52626 | Med | 0.29 | 4.5 | 0.00 | Feb 3, 2026 | A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system.This issue affects AION: 2.0 | |
| CVE-2025-15634 | Med | 0.28 | 4.3 | 0.00 | May 9, 2026 | A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page. | |
| CVE-2026-21783 | Med | 0.28 | 4.3 | 0.00 | Mar 24, 2026 | HCL Traveler is affected by sensitive information disclosure. The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this information to gain insights into the system's architecture and potentially launch targeted attacks. | |
| CVE-2026-21767 | Med | 0.26 | 4.0 | 0.00 | Apr 2, 2026 | HCL BigFix Platform is affected by insufficient authentication. The application might allow users to access sensitive areas of the application without proper authentication. |