VYPR

Vendor CVEs

HCLTech

All CVEs

132 total · sorted by risk
  • CVE-2025-52630LowOct 10, 2025
    risk 0.24cvss 3.7epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.

  • CVE-2025-31959LowMay 6, 2026
    risk 0.23cvss 3.5epss 0.00

    HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. .

  • CVE-2025-55249LowJan 19, 2026
    risk 0.23cvss 3.5epss 0.00

    HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application’s overall security posture and increase its susceptibility to common web-based attacks.

  • CVE-2025-52642LowMar 16, 2026
    risk 0.21cvss 3.3epss 0.00

    HCL AION is affected by a vulnerability where internal filesystem paths may be exposed through application responses or system behaviour. Exposure of internal paths may reveal environment structure details which could potentially aid in further targeted attacks or information…

  • CVE-2026-21791LowMar 10, 2026
    risk 0.21cvss 3.3epss 0.00

    HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL

  • CVE-2025-52611LowJun 4, 2026
    risk 0.20cvss 3.1epss 0.00

    HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object…

  • CVE-2025-52608LowJun 4, 2026
    risk 0.20cvss 3.1epss 0.00

    HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.

  • CVE-2025-62312LowMay 14, 2026
    risk 0.20cvss 3.0epss 0.00

    HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication. Use of basic authorization mechanisms may expose credentials to potential interception or misuse, especially if not combined with secure transmission practices.

  • CVE-2025-59854LowMay 6, 2026
    risk 0.20cvss 3.1epss 0.00

    HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability where the application utilizes the outdated X-XSS-Protection header, which could allow an attacker to exploit browser-specific rendering flaws or bypass security controls that should instead…

  • CVE-2025-59853LowMay 6, 2026
    risk 0.20cvss 3.1epss 0.00

    HCL DFXAnalytics is affected by an Improper Error Handling vulnerability where the application exposes detailed stack traces in responses, which could allow an attacker to gain insights into the application's internal structure, code logic, and environment configurations.

  • CVE-2025-52633LowFeb 3, 2026
    risk 0.20cvss 3.1epss 0.00

    HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. This issue affects AION: 2.0.

  • CVE-2025-55252LowJan 19, 2026
    risk 0.20cvss 3.1epss 0.00

    HCL AION  version 2 is affected by a Weak Password Policy vulnerability. This can  allow the use of easily guessable passwords, potentially resulting in unauthorized access

  • CVE-2025-55251LowJan 19, 2026
    risk 0.20cvss 3.1epss 0.00

    HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.

  • CVE-2025-52641LowApr 15, 2026
    risk 0.19cvss 2.9epss 0.00

    HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights into the underlying environment, which could potentially aid in further targeted actions or limited…

  • CVE-2025-31966LowMar 17, 2026
    risk 0.18cvss 2.7epss 0.00

    HCL Sametime is vulnerable to broken server-side validation. While the application performs client-side input checks, these are not enforced by the web server. An attacker can bypass these restrictions by sending manipulated HTTP requests directly to the server.

  • CVE-2025-52660LowJan 19, 2026
    risk 0.18cvss 2.7epss 0.00

    HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.

  • CVE-2025-52659LowJan 19, 2026
    risk 0.18cvss 2.8epss 0.00

    HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure.

  • CVE-2025-62317LowMay 14, 2026
    risk 0.17cvss 2.6epss 0.00

    HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters. Passing sensitive data in URLs may expose it through browser history, logs, or intermediary systems, potentially leading to unintended information disclosure under certain…

  • CVE-2025-62309LowMay 14, 2026
    risk 0.17cvss 2.6epss 0.00

    HCL AION is affected by a vulnerability where auto-complete functionality is enabled for certain input fields. This may allow sensitive information to be stored in the browser, potentially leading to unintended exposure under specific conditions.

  • CVE-2025-31975LowMay 6, 2026
    risk 0.17cvss 2.6epss 0.00

    HCL BigFix Service Management (SM) is affected by an Information Disclosure – Server Banner issue was identified. Exposed server banners may reveal software versions and system details, potentially aiding attackers in targeting known vulnerabilities.

  • CVE-2025-31957LowMay 6, 2026
    risk 0.17cvss 2.6epss 0.00

    HHCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability. This could lead to unauthorized changes or exposure of sensitive data.

  • CVE-2025-52661LowJan 19, 2026
    risk 0.16cvss 2.4epss 0.00

    HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised.

  • CVE-2025-62316LowMay 14, 2026
    risk 0.15cvss 2.3epss 0.00

    HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based security controls and could expose the application to limited security risks under…

  • CVE-2025-52646LowMar 16, 2026
    risk 0.14cvss 2.2epss 0.00

    HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries. Improper validation or restrictions on query execution could expose the system to unintended database interactions or limited information…

  • CVE-2025-52649LowMar 16, 2026
    risk 0.12cvss 1.8epss 0.00

    HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature. Predictable identifiers may allow an attacker to infer or guess system-generated values, potentially leading to limited information disclosure or unintended access under specific…

  • CVE-2025-52645LowMar 16, 2026
    risk 0.12cvss 1.9epss 0.00

    HCL AION is affected by a vulnerability where model packaging and distribution mechanisms may not include sufficient authenticity verification. This may allow the possibility of unverified or modified model artifacts being used, potentially leading to integrity concerns or…

  • CVE-2025-52636LowMar 16, 2026
    risk 0.12cvss 1.8epss 0.00

    HCL AION is affected by a vulnerability related to the handling of upload size limits. Improper control or validation of upload sizes may allow excessive resource consumption, which could potentially lead to service degradation or denial-of-service conditions under certain…

  • CVE-2025-55250LowJan 19, 2026
    risk 0.12cvss 1.8epss 0.00

    HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks.

  • CVE-2026-21790Mar 24, 2026
    risk 0.00cvss epss 0.00

    HCL Traveler is susceptible to a weak default HTTP header validation vulnerability, which could allow an attacker to bypass additional authentication checks.

  • CVE-2025-52648Mar 16, 2026
    risk 0.00cvss epss 0.00

    HCL AION is affected by a vulnerability where offering images are not digitally signed. Lack of image signing may allow the use of unverified or tampered images, potentially leading to security risks such as integrity compromise or unintended behavior in the system

  • CVE-2025-52638Mar 16, 2026
    risk 0.00cvss epss 0.00

    HCL AION is affected by a vulnerability where generated containers may execute binaries with root-level privileges. Running containers with root privileges may increase the potential security risk, as it grants elevated permissions within the container environment. Aligning…

  • CVE-2025-52637Mar 16, 2026
    risk 0.00cvss epss 0.00

    HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries. Improper validation or restrictions on query execution could expose the system to unintended database interactions or limited information…

  • CVE-2025-31964Jan 7, 2026
    risk 0.00cvss epss 0.00

    Improper service binding configuration in internal service components in HCL BigFix IVR version 4.2 allows a privileged attacker to impact service availability via exposure of administrative services bound to external network interfaces instead of the local authentication…

  • CVE-2025-31963Jan 7, 2026
    risk 0.00cvss epss 0.00

    Improper authentication and missing CSRF protection in the local setup interface component in HCL BigFix IVR version 4.2 allows a local attacker to perform unauthorized configuration changes via unauthenticated administrative configuration requests.

  • CVE-2025-31962Jan 7, 2026
    risk 0.00cvss epss 0.00

    Insufficient session expiration in the Web UI authentication component in HCL BigFix IVR version 4.2 allows an authenticated attacker to gain prolonged unauthorized access to protected API endpoints due to excessive expiration periods.

  • CVE-2025-51736Nov 28, 2025
    risk 0.00cvss epss 0.00

    File upload vulnerability in HCL Technologies Ltd. Unica 12.0.0.

  • CVE-2025-51735Nov 28, 2025
    risk 0.00cvss epss 0.00

    CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0.

  • CVE-2025-51733Nov 28, 2025
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in HCL Technologies Ltd. Unica 12.0.0.

  • CVE-2025-51734Nov 28, 2025
    risk 0.00cvss epss 0.00

    Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Unica 12.0.0.

  • CVE-2025-52616Oct 12, 2025
    risk 0.00cvss epss 0.00

    HCL Unica 12.1.10 can expose sensitive system information. An attacker could use this information to form an attack plan by leveraging known vulnerabilities in the application.

  • CVE-2025-31998Oct 12, 2025
    risk 0.00cvss epss 0.00

    HCL Unica Centralized Offer Management is vulnerable to poor unhandled exceptions which exposes sensitive information. An attacker can exploit use this information to exploit known vulnerabilities launch targeted attacks, such as remote code execution or denial of service.

  • CVE-2025-31997Oct 12, 2025
    risk 0.00cvss epss 0.00

    HCL Unica Centralized Offer Management is vulnerable to Insecure Direct Object References (IDOR). An attacker can bypass authorization and access resources in the system directly, for example database records or files.

  • CVE-2025-31993Oct 12, 2025
    risk 0.00cvss epss 0.00

    HCL Unica Centralized Offer Management is vulnerable to a potential Server-Side Request Forgery (SSRF). An attacker can exploit improper input validation by submitting maliciously crafted input to a target application running on a server.

  • CVE-2024-42193Apr 15, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix Web Reports' service communicates over HTTPS but exhibits a weakness in its handling of SSL certificate validation. This scenario presents a possibility of man-in-the-middle (MITM) attacks and data exposure as, if exploited, this vulnerability could potentially lead…

  • CVE-2024-42189Apr 15, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix Web Reports might be subject to a Denial of Service (DoS) attack, due to a potentially weak validation of an API parameter.

  • CVE-2024-42200Apr 15, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix Web Reports might be subject to a Stored Cross-Site Scripting (XSS) attack, due to a potentially weak validation of user input.

  • CVE-2025-0278Apr 3, 2025
    risk 0.00cvss epss 0.00

    HCL Traveler is affected by an internal path disclosure in a Windows application when the application inadvertently reveals internal file paths, in error messages, debug logs, or responses to user requests.

  • CVE-2025-0279Apr 3, 2025
    risk 0.00cvss epss 0.00

    HCL Traveler generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this information to gain insights into the system's…

  • CVE-2023-50355Oct 23, 2024
    risk 0.00cvss epss 0.00

    HCL Sametime is impacted by the error messages containing sensitive information. An attacker can use this information to launch another, more focused attack.

  • CVE-2024-30124Oct 23, 2024
    risk 0.00cvss epss 0.00

    HCL Sametime is impacted by insecure services in-use on the UIM client by default. An unused legacy REST service was enabled by default using the HTTP protocol. An attacker could potentially use this service endpoint maliciously.