VYPR

Vendor CVEs

HCLTech

All CVEs

132 total · sorted by risk
  • CVE-2025-62319CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.00

    Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently…

  • CVE-2026-21837HigJun 5, 2026
    risk 0.57cvss 8.8epss 0.01

    HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API.  An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a…

  • CVE-2026-21765HigApr 2, 2026
    risk 0.57cvss 8.8epss 0.00

    HCL BigFix Platform is affected by insecure permissions on private cryptographic keys.  The private cryptographic keys located on a Windows host machine might be subject to overly permissive file system permissions.

  • CVE-2024-30151HigMay 6, 2026
    risk 0.54cvss 8.3epss 0.00

    HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or…

  • CVE-2026-22514HigMar 25, 2026
    risk 0.53cvss 8.1epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Unica unica allows PHP Local File Inclusion.This issue affects Unica: from n/a through <= 1.4.1.

  • CVE-2025-52650HigOct 10, 2025
    risk 0.53cvss 8.2epss 0.00

    Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

  • CVE-2025-52612HigJun 4, 2026
    risk 0.46cvss 7.1epss 0.00

    HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .

  • CVE-2025-15633MedMay 9, 2026
    risk 0.42cvss 6.5epss 0.00

    An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate…

  • CVE-2025-52632MedOct 10, 2025
    risk 0.42cvss 6.5epss 0.00

    A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

  • CVE-2026-21826MedJun 5, 2026
    risk 0.40cvss 6.1epss 0.00

    HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection.  An attacker can manipulate the Host header and cause the application to behave in unexpected ways.

  • CVE-2026-21825MedJun 5, 2026
    risk 0.40cvss 6.1epss 0.00

    HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center.  An attacker could execute arbitrary JavaScript in the victim's browser.

  • CVE-2025-52644MedMar 16, 2026
    risk 0.38cvss 5.8epss 0.00

    HCL AION is affected by a vulnerability where certain user actions are not adequately audited or logged. The absence of proper auditing mechanisms may reduce traceability of user activities and could potentially impact monitoring, accountability, or incident investigation…

  • CVE-2025-52627MedFeb 3, 2026
    risk 0.36cvss 5.5epss 0.00

    Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes.This issue affects AION: 2.0.

  • CVE-2025-62313MedMay 14, 2026
    risk 0.35cvss 5.4epss 0.00

    HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced. This may allow repeated authentication attempts, potentially leading to unauthorized access or account compromise under certain conditions.

  • CVE-2025-62310MedMay 14, 2026
    risk 0.35cvss 5.4epss 0.00

    HCL AION is affected by a vulnerability where encryption is not enforced for certain data transmissions or operations. This may expose sensitive information to potential interception or unauthorized access under specific conditions.

  • CVE-2025-52624MedOct 10, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects…

  • CVE-2025-31960MedMay 6, 2026
    risk 0.34cvss 5.3epss 0.00

    HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the…

  • CVE-2025-31970MedMay 6, 2026
    risk 0.34cvss 5.3epss 0.00

    HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS)

  • CVE-2025-31981MedApr 21, 2026
    risk 0.34cvss 5.3epss 0.00

    HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encryption due to port 80 (HTTP) being open, allowing unencrypted access.  An attacker with access to the network traffic can sniff packets from the connection and uncover the data.

  • CVE-2025-62308MedMay 14, 2026
    risk 0.33cvss 5.1epss 0.00

    HCL AION is affected by a vulnerability where sensitive backend infrastructure details may be exposed. Exposure of such information could reveal internal system architecture or configuration details, which may potentially assist in further analysis or targeted actions under…

  • CVE-2025-62305MedMay 14, 2026
    risk 0.33cvss 5.1epss 0.00

    HCL AION is affected by a vulnerability where certain operations may trigger out-of-band interactions, potentially resulting in unintended disclosure of sensitive information. Such behaviour may allow exposure of data to external systems under specific conditions.

  • CVE-2025-31976MedMay 6, 2026
    risk 0.31cvss 4.8epss 0.00

    HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials for a short duration while communicating with a backend, internal application which could allow an attacker to potentially misuse them, if exfiltrated. .

  • CVE-2025-62320MedMar 17, 2026
    risk 0.31cvss 4.7epss 0.00

    HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically…

  • CVE-2025-52643MedMar 16, 2026
    risk 0.31cvss 4.7epss 0.00

    HCL AION is affected by a vulnerability where untrusted file parsing operations are not executed within a properly isolated sandbox environment. This may expose the application to potential security risks, including unintended behaviour or integrity impact when processing…

  • CVE-2025-52613MedMay 6, 2026
    risk 0.30cvss 4.6epss 0.00

    HCL BigFix Service Management (SM) is affected by use of a vulnerable WSGI Server was identified. Deploying an outdated or insecure WSGI server may expose the application to known security weaknesses, potentially increasing the risk of exploitation and unauthorized access.

  • CVE-2025-31978MedMay 6, 2026
    risk 0.30cvss 4.6epss 0.00

    HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other…

  • CVE-2025-52628MedFeb 3, 2026
    risk 0.30cvss 4.6epss 0.00

    HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0.

  • CVE-2025-52626MedFeb 3, 2026
    risk 0.29cvss 4.5epss 0.01

    A Potential Command Injection vulnerability in HCL AION.  An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system.This issue affects AION: 2.0

  • CVE-2025-52606MedJun 4, 2026
    risk 0.28cvss 4.3epss 0.00

    HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is…

  • CVE-2025-62311MedMay 14, 2026
    risk 0.28cvss 4.3epss 0.00

    HCL AION is affected by a vulnerability where backend service details may be transmitted over insecure HTTP channels. This may expose sensitive information to potential interception or unauthorized access during transmission under certain conditions

  • CVE-2025-15634MedMay 9, 2026
    risk 0.28cvss 4.3epss 0.00

    A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page.

  • CVE-2026-21783MedMar 24, 2026
    risk 0.28cvss 4.3epss 0.00

    HCL Traveler is affected by sensitive information disclosure.  The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces.  Attackers…

  • CVE-2025-31994MedOct 13, 2025
    risk 0.28cvss 4.3epss 0.00

    HCL Unica Campaign 12.1.10 is vulnerable to Reflected Cross-Site Scripting (XSS) where an attacker injects malicious script into an HTTP request, which is then reflected unsafely in the server's immediate response to the victim's browser, executing the script as if it originated…

  • CVE-2025-31973MedMay 20, 2026
    risk 0.26cvss 4.0epss 0.00

    HCL BigFix Service Management (SM) is susceptible to a Configuration – 'Insecure Use of Base Image Version'. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment.

  • CVE-2026-21767MedApr 2, 2026
    risk 0.26cvss 4.0epss 0.00

    HCL BigFix Platform is affected by insufficient authentication.  The application might allow users to access sensitive areas of the application without proper authentication.

  • CVE-2025-31974LowMay 6, 2026
    risk 0.25cvss 3.9epss 0.00

    HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only. An improperly configured root file system may allow unintended modifications to critical system components, potentially increasing the risk of system compromise or unauthorized…

  • CVE-2025-52609LowJun 4, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers.

  • CVE-2025-31985LowMay 20, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed…

  • CVE-2025-31984LowMay 6, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed…

  • CVE-2025-31983LowMay 6, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting (XSS) and potential exposure of sensitive information.

  • CVE-2025-31982LowMay 6, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality.

  • CVE-2025-59852LowMay 6, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL DFXAnalytics is affected by an Insufficient Transport Layer Protection vulnerability where data is transmitted over the network without encryption, which could allow an attacker to compromise the confidentiality, integrity, and authentication of sensitive information.

  • CVE-2025-59851LowMay 6, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL DFXAnalytics is affected by a Using Components with Known Vulnerabilities flaw where the application utilizes unpatched libraries or sub-components, which could allow an attacker to identify and exploit publicly known security vulnerabilities to gain unauthorized access or…

  • CVE-2025-31958LowApr 21, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL BigFix Service Management is susceptible to HTTP Request Smuggling.  HTTP request smuggling vulnerabilities arise when websites route HTTP requests through web servers with inconsistent HTTP parsing. HTTP Smuggling exploits inconsistencies in request parsing between…

  • CVE-2025-52631LowFeb 3, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks.. This issue affects AION: 2.0.

  • CVE-2025-52623LowFeb 3, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access.…

  • CVE-2025-52629LowFeb 3, 2026
    risk 0.24cvss 3.7epss 0.00

    HCL AION is susceptible to Missing Content-Security-Policy.  An The absence of a CSP header may increase the risk of cross-site scripting and other content injection attacks by allowing unsafe scripts or resources to execute..This issue affects AION: 2.0.

  • CVE-2025-52635LowOct 10, 2025
    risk 0.24cvss 3.7epss 0.00

    A rusted types in scripts not enforced in CSP vulnerability has been identified in HCL AION.This issue affects AION: 2.0.

  • CVE-2025-52625LowOct 10, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability  Cacheable SSL Page Found vulnerability has been identified in HCL AION.  Cached data may expose credentials, system identifiers, or internal file paths to attackers with access to the device or browser This issue affects AION: 2.0.

  • CVE-2025-52634LowOct 10, 2025
    risk 0.24cvss 3.7epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0.

Page 1 of 3