汇总 HCLTech 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
已披露问题常与 跨站脚本、路径处理缺陷与CSRF 相关,可能在 软件部署与生产负载 场景中带来 会话劫持与文件覆盖 等暴露风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2026-21837 | HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise. | [email protected] | 8.7 | 0.46% | 2026-06-05 | 2026-06-10 |
| CVE-2026-21826 | HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. An attacker can manipulate the Host header and cause the application to behave in unexpected ways. | [email protected] | 6.1 | 0.03% | 2026-06-05 | 2026-06-10 |
| CVE-2026-21825 | HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center. An attacker could execute arbitrary JavaScript in the victim's browser. | [email protected] | 6.1 | 0.03% | 2026-06-05 | 2026-06-10 |
| CVE-2025-52612 | HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. . | [email protected] | 7.1 | 0.04% | 2026-06-04 | 2026-06-04 |
| CVE-2025-52611 | HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object that is undefined. This issue likely stems from one of the following: A missing or improperly initialized object. | [email protected] | 3.1 | 0.03% | 2026-06-04 | 2026-06-04 |
| CVE-2025-52609 | HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers. | [email protected] | 3.7 | 0.05% | 2026-06-04 | 2026-06-04 |
| CVE-2025-52608 | HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root. | [email protected] | 3.1 | 0.02% | 2026-06-04 | 2026-06-04 |
| CVE-2025-52606 | HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. | [email protected] | 4.3 | 0.03% | 2026-06-04 | 2026-06-04 |
| CVE-2025-31985 | HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly. | [email protected] | 3.7 | 0.03% | 2026-05-20 | 2026-05-20 |
| CVE-2025-31973 | HCL BigFix Service Management (SM) is susceptible to a Configuration – 'Insecure Use of Base Image Version'. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment. | [email protected] | 4.0 | 0.01% | 2026-05-20 | 2026-05-20 |
| CVE-2025-15634 | A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page. | [email protected] | 5.3 | 0.03% | 2026-05-09 | 2026-05-14 |
| CVE-2025-15633 | An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers. | [email protected] | 5.3 | 0.04% | 2026-05-09 | 2026-05-14 |
| CVE-2025-31974 | HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only. An improperly configured root file system may allow unintended modifications to critical system components, potentially increasing the risk of system compromise or unauthorized changes. | [email protected] | 3.9 | 0.03% | 2026-05-06 | 2026-05-11 |
| CVE-2025-31960 | HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the application to trigger an unhandled exception. | [email protected] | 5.3 | 0.03% | 2026-05-06 | 2026-05-07 |
| CVE-2024-30151 | HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or unauthorized system modifications | [email protected] | 8.3 | 0.06% | 2026-05-06 | 2026-05-07 |
| CVE-2025-52613 | HCL BigFix Service Management (SM) is affected by use of a vulnerable WSGI Server was identified. Deploying an outdated or insecure WSGI server may expose the application to known security weaknesses, potentially increasing the risk of exploitation and unauthorized access. | [email protected] | 4.6 | 0.06% | 2026-05-06 | 2026-05-07 |
| CVE-2025-31984 | HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly. | [email protected] | 3.7 | 0.03% | 2026-05-06 | 2026-05-07 |
| CVE-2025-31983 | HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting (XSS) and potential exposure of sensitive information. | [email protected] | 3.7 | 0.03% | 2026-05-06 | 2026-05-06 |
| CVE-2025-31982 | HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality. | [email protected] | 3.7 | 0.03% | 2026-05-06 | 2026-05-06 |
| CVE-2025-31978 | HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content. | [email protected] | 4.6 | 0.03% | 2026-05-06 | 2026-05-07 |