PatchSiren

HCL CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH HCL CVE published 2026-06-04

CVE-2025-59874

CVE-2025-59874 is a HIGH severity vulnerability in HCL Hive Telco Observability. A Required directives missing from the CSP issue is detected in keycloak component of the web application. Missing essential directives can leave a site vulnerable. The vulnerability was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2025-59874) and last modified on [cveModifiedAt](https://nvd.nist.gov/vul [truncated]

LOW HCL CVE published 2026-06-04

CVE-2025-52611

CVE-2025-52611 is a low-severity vulnerability (CVSS Score: 3.1) affecting HCL iControl v4.0.0. The issue arises from an unhandled exception leading to stack trace disclosure. This occurs when the application's JavaScript code attempts to access an undefined property, specifically trying to read the 'dashboard' key from an object that has not been properly initialized or is missing.

LOW HCL CVE published 2026-06-04

CVE-2025-52609

CVE-2025-52609 is a LOW-severity vulnerability in HCL iControl, a product from HCL Technologies. The vulnerability is caused by missing security headers, which could lead to cross-site scripting (XSS) attacks. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 3.7. The vulnerability was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2025-52609) and last modi [truncated]

LOW HCL CVE published 2026-06-04

CVE-2025-52608

HCL iControl was affected by a Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. The path is also set to root. This vulnerability has a CVSS score of 3.1 and a severity of LOW.

MEDIUM HCL CVE published 2026-06-04

CVE-2025-52606

A medium severity vulnerability, CVE-2025-52606, was found in HCL iControl. The vulnerability is caused by a Weak Input Validation weakness, which occurs during the implementation of an architectural security tactic. The product receives input that is expected to be of a certain type but does not validate or incorrectly validates that the input is actually of the expected type. The Common Vulnerability Sc [truncated]

LOW HCL CVE published 2026-05-20

CVE-2025-31985

CVE-2025-31985 affects HCL BigFix Service Management 23.0 and is described as a security misconfiguration involving a missing or insecure X-Content-Type-Options header. Without that header, browsers may perform MIME-type sniffing and handle content in a way the application did not intend. The record is published as a low-severity issue, but it still matters because it can affect how users' browsers interp [truncated]

MEDIUM HCL CVE published 2026-05-20

CVE-2025-31973

CVE-2025-31973 describes a configuration issue in HCL BigFix Service Management where an insecure or outdated base image version may be used. NVD lists the impact as low in confidentiality, integrity, and availability, with a CVSS 3.1 vector of AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L. The issue was published by NVD on 2026-05-20 and an HCL vendor advisory is referenced for mitigation guidance.

MEDIUM HCL CVE published 2026-05-09

CVE-2025-15633

CVE-2025-15633 is an improper authorization issue in HCL BigFix WebUI. According to the CVE description and HCL reference, an authenticated user without Master Operator privileges may access internal data such as site names, versions, and configuration variables through unprotected endpoints, bypassing intended privilege checks. The CVSS score is 5.3 (Medium).

CRITICAL HCL CVE published 2026-03-16

CVE-2025-62319

CVE-2025-62319 is a critical Boolean-Based SQL Injection vulnerability in HCLTech Unica and Unica Audience Central. This CVE debrief provides an overview of the vulnerability, its impact, and recommended actions for mitigation.