HCLTech
HCL Technologies Limited is an Indian multinational information technology (IT) consulting company headquartered in Noida, Uttar Pradesh. Founded by Shiv Nadar, it was spun out in 1991 when HCL entered into the software services business. The company has offices in 60 countries and over 220,000 employees. It is the third-largest India-headquartered IT services company by revenue and market capitalization as of 2024.
Products
38- 41 CVEs
- 16 CVEs
- 11 CVEs
- 9 CVEs
- 9 CVEs
- 7 CVEs
- 7 CVEs
- 7 CVEs
- 5 CVEs
- 5 CVEs
- 4 CVEs
- 4 CVEs
- 4 CVEs
- 3 CVEs
- 3 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- View all 38 products →
Recent CVEs
132| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-62319 | Cri | 0.64 | 9.8 | 0.00 | Mar 16, 2026 | Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently… | ||
| CVE-2026-21837 | Hig | 0.57 | 8.8 | 0.01 | Jun 5, 2026 | HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a… | ||
| CVE-2026-21765 | Hig | 0.57 | 8.8 | 0.00 | Apr 2, 2026 | HCL BigFix Platform is affected by insecure permissions on private cryptographic keys. The private cryptographic keys located on a Windows host machine might be subject to overly permissive file system permissions. | ||
| CVE-2024-30151 | Hig | 0.54 | 8.3 | 0.00 | May 6, 2026 | HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or… | ||
| CVE-2026-22514 | Hig | 0.53 | 8.1 | 0.01 | Mar 25, 2026 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Unica unica allows PHP Local File Inclusion.This issue affects Unica: from n/a through <= 1.4.1. | ||
| CVE-2025-52650 | Hig | 0.53 | 8.2 | 0.00 | Oct 10, 2025 | Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0 | ||
| CVE-2025-52612 | Hig | 0.46 | 7.1 | 0.00 | Jun 4, 2026 | HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. . | ||
| CVE-2025-15633 | Med | 0.42 | 6.5 | 0.00 | May 9, 2026 | An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate… | ||
| CVE-2025-52632 | Med | 0.42 | 6.5 | 0.00 | Oct 10, 2025 | A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0. | ||
| CVE-2026-21826 | Med | 0.40 | 6.1 | 0.00 | Jun 5, 2026 | HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. An attacker can manipulate the Host header and cause the application to behave in unexpected ways. | ||
| CVE-2026-21825 | Med | 0.40 | 6.1 | 0.00 | Jun 5, 2026 | HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center. An attacker could execute arbitrary JavaScript in the victim's browser. | ||
| CVE-2025-52644 | Med | 0.38 | 5.8 | 0.00 | Mar 16, 2026 | HCL AION is affected by a vulnerability where certain user actions are not adequately audited or logged. The absence of proper auditing mechanisms may reduce traceability of user activities and could potentially impact monitoring, accountability, or incident investigation… | ||
| CVE-2025-52627 | Med | 0.36 | 5.5 | 0.00 | Feb 3, 2026 | Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes.This issue affects AION: 2.0. | ||
| CVE-2025-62313 | Med | 0.35 | 5.4 | 0.00 | May 14, 2026 | HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced. This may allow repeated authentication attempts, potentially leading to unauthorized access or account compromise under certain conditions. | ||
| CVE-2025-62310 | Med | 0.35 | 5.4 | 0.00 | May 14, 2026 | HCL AION is affected by a vulnerability where encryption is not enforced for certain data transmissions or operations. This may expose sensitive information to potential interception or unauthorized access under specific conditions. | ||
| CVE-2025-52624 | Med | 0.35 | 5.4 | 0.00 | Oct 10, 2025 | A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects… | ||
| CVE-2025-31960 | Med | 0.34 | 5.3 | 0.00 | May 6, 2026 | HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the… | ||
| CVE-2025-31970 | Med | 0.34 | 5.3 | 0.00 | May 6, 2026 | HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS) | ||
| CVE-2025-31981 | Med | 0.34 | 5.3 | 0.00 | Apr 21, 2026 | HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encryption due to port 80 (HTTP) being open, allowing unencrypted access. An attacker with access to the network traffic can sniff packets from the connection and uncover the data. | ||
| CVE-2025-62308 | Med | 0.33 | 5.1 | 0.00 | May 14, 2026 | HCL AION is affected by a vulnerability where sensitive backend infrastructure details may be exposed. Exposure of such information could reveal internal system architecture or configuration details, which may potentially assist in further analysis or targeted actions under… |
- risk 0.64cvss 9.8epss 0.00
Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently…
- risk 0.57cvss 8.8epss 0.01
HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a…
- risk 0.57cvss 8.8epss 0.00
HCL BigFix Platform is affected by insecure permissions on private cryptographic keys. The private cryptographic keys located on a Windows host machine might be subject to overly permissive file system permissions.
- risk 0.54cvss 8.3epss 0.00
HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or…
- risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Unica unica allows PHP Local File Inclusion.This issue affects Unica: from n/a through <= 1.4.1.
- risk 0.53cvss 8.2epss 0.00
Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0
- risk 0.46cvss 7.1epss 0.00
HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .
- risk 0.42cvss 6.5epss 0.00
An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate…
- risk 0.42cvss 6.5epss 0.00
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
- risk 0.40cvss 6.1epss 0.00
HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. An attacker can manipulate the Host header and cause the application to behave in unexpected ways.
- risk 0.40cvss 6.1epss 0.00
HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center. An attacker could execute arbitrary JavaScript in the victim's browser.
- risk 0.38cvss 5.8epss 0.00
HCL AION is affected by a vulnerability where certain user actions are not adequately audited or logged. The absence of proper auditing mechanisms may reduce traceability of user activities and could potentially impact monitoring, accountability, or incident investigation…
- risk 0.36cvss 5.5epss 0.00
Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes.This issue affects AION: 2.0.
- risk 0.35cvss 5.4epss 0.00
HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced. This may allow repeated authentication attempts, potentially leading to unauthorized access or account compromise under certain conditions.
- risk 0.35cvss 5.4epss 0.00
HCL AION is affected by a vulnerability where encryption is not enforced for certain data transmissions or operations. This may expose sensitive information to potential interception or unauthorized access under specific conditions.
- risk 0.35cvss 5.4epss 0.00
A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects…
- risk 0.34cvss 5.3epss 0.00
HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the…
- risk 0.34cvss 5.3epss 0.00
HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS)
- risk 0.34cvss 5.3epss 0.00
HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encryption due to port 80 (HTTP) being open, allowing unencrypted access. An attacker with access to the network traffic can sniff packets from the connection and uncover the data.
- risk 0.33cvss 5.1epss 0.00
HCL AION is affected by a vulnerability where sensitive backend infrastructure details may be exposed. Exposure of such information could reveal internal system architecture or configuration details, which may potentially assist in further analysis or targeted actions under…