This page lists publicly disclosed CVE vulnerabilities affecting hcltech digital_experience (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-21837 | HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise. | [email protected] | 8.7 | 0.14% | 2026-06-05 | 2026-06-10 |
| CVE-2026-21826 | HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. An attacker can manipulate the Host header and cause the application to behave in unexpected ways. | [email protected] | 6.1 | 0.03% | 2026-06-05 | 2026-06-10 |
| CVE-2026-21825 | HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center. An attacker could execute arbitrary JavaScript in the victim's browser. | [email protected] | 6.1 | 0.03% | 2026-06-05 | 2026-06-10 |
| CVE-2025-62326 | HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which would require elevated privileges to exploit. | [email protected] | 6.1 | 0.03% | 2026-02-20 | 2026-02-24 |
| CVE-2025-31988 | HCL Digital Experience is susceptible to cross site scripting (XSS) in an administrative UI with restricted access. | [email protected] | 4.9 | 0.02% | 2025-08-19 | 2025-08-21 |
| CVE-2023-37538 | HCL Digital Experience is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted URL from some delivery mechanism (email, other web site). | [email protected] | 9.3 | 0.24% | 2023-10-11 | 2024-11-21 |
| CVE-2022-38653 | In HCL Digital Experience, customized XSS payload can be constructed such that it is served in the application unencoded. | [email protected] | 2.0 | 0.42% | 2022-12-19 | 2025-04-18 |
| CVE-2020-4081 | In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS). | [email protected] | 6.1 | 0.36% | 2021-02-02 | 2024-11-21 |
| CVE-2020-14255 | HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. These affect containers only. These do not affect traditional on-premise installations. | [email protected] | 7.5 | 0.32% | 2021-02-02 | 2024-11-21 |
| CVE-2020-14221 | HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users. | [email protected] | 4.9 | 0.34% | 2021-02-02 | 2024-11-21 |
| CVE-2020-14223 | HCL Digital Experience 8.5, 9.0, 9.5 is susceptible to cross-site scripting (XSS). The vulnerability could be employed in a reflected or non-persistent XSS attack. | [email protected] | 6.1 | 0.36% | 2020-10-01 | 2024-11-21 |