Hcl

By the Year

In 2026 there have been 47 vulnerabilities in Hcl with an average score of 4.3 out of ten. Last year, in 2025 Hcl had 39 security vulnerabilities published. That is, 8 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.90

Recent Hcl Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-55261	Mar 26, 2026	Missing Functional Level Access Control in HCL Aftermarket DPC HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data.
CVE-2025-55262	Mar 26, 2026	SQLi in HCL Aftermarket DPC Enables Data Retrieval HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploit this vulnerability to retrieve sensitive information from the database.
CVE-2025-55263	Mar 26, 2026	HCL Aftermarket DPC Hardcoded Sensitive Data Exposes Secrets HCL Aftermarket DPC is affected by Hardcoded Sensitive Data which allows attacker to gain access to the source code or if it is stored in insecure repositories, they can easily retrieve these hardcoded secrets.
CVE-2025-55264	Mar 26, 2026	Session Hijack: HCL Aftermarket DPC Persists After Password Reset HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover.
CVE-2025-55265	Mar 26, 2026	HCL Aftermarket DPC: File Discovery Enables Sensitive File Read HCL Aftermarket DPC is affected by File Discovery which allows attacker could exploit this issue to read sensitive files present in the system and may use it to craft further attacks.
CVE-2025-55266	Mar 26, 2026	HCL Aftermarket DPC Session Fixation Vulnerability HCL Aftermarket DPC is affected by Session Fixation which allows attacker to takeover the user's session and use it carry out unauthorized transaction behalf of the user.
CVE-2025-55267	Mar 26, 2026	HCL Aftermarket DPC Unrestricted File Upload CVE-2025-55267 HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability, allows attacker to upload and execute malicious scripts, gaining full control over the server.
CVE-2025-55268	Mar 26, 2026	DOS via Spamming in HCL Aftermarket DPC HCL Aftermarket DPC is affected by Spamming Vulnerability which can allow the actor to excessive spamming can consume server bandwidth and processing resources which may lead to Denial of Service.
CVE-2025-55269	Mar 26, 2026	HCL Aftermarket DPC Vulnerable to Weak Password Policy HCL Aftermarket DPC is affected by Weak Password Policy vulnerability, which makes it easier for attackers to guess weak passwords or use brute-force techniques to gain unauthorized access to user accounts.
CVE-2025-55270	Mar 26, 2026	HCL Aftermarket DPC Improper Input: XSS/SQL/Command Injection HCL Aftermarket DPC is affected by Improper Input Validation which allows an attacker to inject executable code and can carry out attacks such as XSS, SQL Injection, Command Injection etc.
CVE-2025-55271	Mar 26, 2026	HCL Aftermarket DPC HTTP Response Splitting for Remote Code Exec HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where in depending on how the web application handles the split response, an attacker may be able to execute arbitrary commands or inject harmful content into the response..
CVE-2025-55272	Mar 26, 2026	HCL Aftermarket DPC Banner Disclosure Vulnerability HCL Aftermarket DPC is affected by Banner Disclosure vulnerability where attackers gain insights into the systems software and version details which would allow them to craft software specific attacks.
CVE-2025-55273	Mar 26, 2026	HCL Aftermarket DPC XSS via Cross-Domain Script Include Causing Session Hijack HCL Aftermarket DPC is affected by Cross Domain Script Include vulnerability where an attacker using external scripts can tamper with the DOM, altering the content or behavior of the application. Malicious scripts can steal cookies or session tokens, leading to session hijacking.
CVE-2025-55274	Mar 26, 2026	HCL Aftermarket DPC CORS Misconfig Exposes Sensitive Data HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability. CORS misconfigurations includes the exposure of sensitive user information to attackers, unauthorized access to APIs, and possible data manipulation or leakage. If an attacker to exploit CORS misconfiguration, they could steal sensitive data, perform actions on behalf of a legitimate user.
CVE-2025-55275	Mar 26, 2026	HCL Aftermarket DPC Admin Session Concurrency Hijack CVE-2025-55275 HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user.
CVE-2025-55276	Mar 26, 2026	HCL Aftermarket DPC IP Disclosure Vulnerability HCL Aftermarket DPC is affected by Internal IP Disclosure vulnerability will give attackers a clearer map of the organizations network layout.
CVE-2025-55277	Mar 26, 2026	Use of Vulnerable/Outdated Versions in HCL Aftermarket DPC HCL Aftermarket DPC is affected by Use of Vulnerable/Outdated Versions vulnerability using which an attacker may make use of the exploits available across the internet and craft attacks against the application.
CVE-2025-62320	Mar 17, 2026	HTML Injection in Unspecified HCL Web Application HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external resources included in that HTML, which can cause unexpected requests from the users browser.
CVE-2025-31966	Mar 17, 2026	HCL Sametime Server-side Validation Bypass via Crafted HTTP Requests HCL Sametime is vulnerable to broken server-side validation. While the application performs client-side input checks, these are not enforced by the web server. An attacker can bypass these restrictions by sending manipulated HTTP requests directly to the server.
CVE-2025-62319	Mar 16, 2026	HCL Boolean-Based SQL Injection in Configuration Queries Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending on whether the injected condition evaluates to true or false. This allows an attacker to inject arbitrary SQL into backend configuration queries executed within the application.	Unica
CVE-2025-52642	Mar 16, 2026	HCL AION Path Disclosure via Application Response HCL AION is affected by a vulnerability where internal filesystem paths may be exposed through application responses or system behaviour. Exposure of internal paths may reveal environment structure details which could potentially aid in further targeted attacks or information disclosure.	Aion
CVE-2025-52646	Mar 16, 2026	SQL Injection via Offering Config in HCL AION HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries. Improper validation or restrictions on query execution could expose the system to unintended database interactions or limited information exposure under specific conditions.	Aion
CVE-2025-52645	Mar 16, 2026	Missing Auth Verification in HCL AION Model Pack (CVE-2025-52645) HCL AION is affected by a vulnerability where model packaging and distribution mechanisms may not include sufficient authenticity verification. This may allow the possibility of unverified or modified model artifacts being used, potentially leading to integrity concerns or unintended behaviour.	Aion
CVE-2025-52649	Mar 16, 2026	Predictable Identifier Vulnerability in HCL AION HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature. Predictable identifiers may allow an attacker to infer or guess system-generated values, potentially leading to limited information disclosure or unintended access under specific conditions.	Aion
CVE-2025-52644	Mar 16, 2026	HCL AION Audit Log Deficiency (CVE-2025-52644) HCL AION is affected by a vulnerability where certain user actions are not adequately audited or logged. The absence of proper auditing mechanisms may reduce traceability of user activities and could potentially impact monitoring, accountability, or incident investigation processes.	Aion
CVE-2025-52643	Mar 16, 2026	Untrusted File Parsing in HCL AION without proper sandbox HCL AION is affected by a vulnerability where untrusted file parsing operations are not executed within a properly isolated sandbox environment. This may expose the application to potential security risks, including unintended behaviour or integrity impact when processing specially crafted files.	Aion
CVE-2025-52636	Mar 16, 2026	HCL AION Upload Size Misvalidation Causing Potential DoS HCL AION is affected by a vulnerability related to the handling of upload size limits. Improper control or validation of upload sizes may allow excessive resource consumption, which could potentially lead to service degradation or denial-of-service conditions under certain scenarios.	Aion
CVE-2025-52648	Mar 16, 2026	HCL AION: Unsigned Images Risk Tampered Deployments HCL AION is affected by a vulnerability where offering images are not digitally signed. Lack of image signing may allow the use of unverified or tampered images, potentially leading to security risks such as integrity compromise or unintended behavior in the system	Aion
CVE-2025-52638	Mar 16, 2026	AION Container Base Image auth bypass in HCL AION HCL AION is affected by a vulnerability where generated containers may execute binaries with root-level privileges. Running containers with root privileges may increase the potential security risk, as it grants elevated permissions within the container environment. Aligning container configurations with security best practices requires minimizing privileges and avoiding root-level execution wherever possible.	Aion
CVE-2025-52637	Mar 16, 2026	SQLi in HCL AION Offering Configs Enables Arbitrary DB Queries HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries. Improper validation or restrictions on query execution could expose the system to unintended database interactions or limited information exposure under specific conditions.	Aion
CVE-2026-21791	Mar 10, 2026	HCL Sametime Android SI Disclosure via Logs HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL
CVE-2025-59873	Feb 23, 2026	ZIE for Web URL Query Session Token Exposure (CVE-2025-59873) An information exposure vulnerability exists in Vulnerability in HCL Software ZIE for Web. The application transmits sensitive session tokens and authentication identifiers within the URL query parameters . An attacker who gains access to any network log or operates a site linked from the application can hijack user sessions This issue affects ZIE for Web: v16.
CVE-2025-52631	Feb 03, 2026	HCL AION 2.0 Missing HSTS Header Vulnerability HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks.. This issue affects AION: 2.0.	Aion
CVE-2025-52623	Feb 03, 2026	HCL AION 2.0 Autocomplete ON Password Field CVE-2025-52623 HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access. This issue affects AION: 2.0.	Aion
CVE-2025-52628	Feb 03, 2026	HCL AION 2.0 SameSite Cookie Issue Enables CSRF Exposure HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0.	Aion
CVE-2025-52633	Feb 03, 2026	HCL AION 2.0 Cookie Sensitive Session Info Vulnerability CVE-2025-52633 HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. This issue affects AION: 2.0.	Aion
CVE-2025-52629	Feb 03, 2026	HCL AION 2.0: Missing CSP Header (XSS Risk) HCL AION is susceptible to Missing Content-Security-Policy.  An The absence of a CSP header may increase the risk of cross-site scripting and other content injection attacks by allowing unsafe scripts or resources to execute..This issue affects AION: 2.0.	Aion
CVE-2025-52626	Feb 03, 2026	Command Injection in HCL AION 2.0 (CVE-2025-52626) A Potential Command Injection vulnerability in HCL AION.  An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system.This issue affects AION: 2.0	Aion
CVE-2025-52627	Feb 03, 2026	AION 2.0 Root FS Not Read-Only Allowing Critical File Modifications Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes.This issue affects AION: 2.0.	Aion
CVE-2025-55252	Jan 19, 2026	HCL AION 2 Weak Password Policy Vulnerability Allows Guessable Passwords HCL AION  version 2 is affected by a Weak Password Policy vulnerability. This can  allow the use of easily guessable passwords, potentially resulting in unauthorized access	Aion
CVE-2025-55250	Jan 19, 2026	HCL AION 2 Info Disclosure via Technical Error Exposure HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks.	Aion
CVE-2025-52661	Jan 19, 2026	HCL AION 2 JWT Token Expiry Too Long Vulnerability (CVE-2025-52661) HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised.	Aion
CVE-2025-55249	Jan 19, 2026	HCL AION Missing Security Response Headers (CVE-2025-55249) HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the applications overall security posture and increase its susceptibility to common web-based attacks.	Aion
CVE-2025-52659	Jan 19, 2026	HCL AION v2: Cacheable HTTP Response Cache Vulnerability Exposes S. Data HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure.	Aion
CVE-2025-52660	Jan 19, 2026	HCL AION Unrestricted File Upload (UFU) enabling code execution HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.	Aion
CVE-2025-55251	Jan 19, 2026	HCL AION Unrestricted File Upload RCE Risk HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.	Aion
CVE-2025-59870	Jan 16, 2026	HCL MyXalytics Static JWT Secret Rotation Defect (CVE-2025-59870) HCL MyXalytics  is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk	Myxalytics
CVE-2025-55254	Dec 17, 2025	HCL BigFix Remote Control Lite Web Portal 10.1.0.0326: Path-Relative Stylesheet Import XSS Improper management of Path-relative stylesheet import in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow to execute malicious code in certain web pages.	Bigfix
CVE-2025-59849	Dec 17, 2025	CVE-2025-59849 HCL BigFix Remote Control Web Portal 10.1.0.0326 Improper CSP Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages.	Bigfix
CVE-2025-62329	Dec 16, 2025	HCL DevOps Deploy Session Binding Race Condition Enables IP Hijacking HCL DevOps Deploy / HCL Launch is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated. This could lead to unauthorized access under certain network conditions.