HCL CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW HCL CVE published 2026-05-20

CVE-2025-31985

CVE-2025-31985 affects HCL BigFix Service Management 23.0 and is described as a security misconfiguration involving a missing or insecure X-Content-Type-Options header. Without that header, browsers may perform MIME-type sniffing and handle content in a way the application did not intend. The record is published as a low-severity issue, but it still matters because it can affect how users' browsers interp [truncated]

MEDIUM HCL CVE published 2026-05-09

CVE-2025-15633

CVE-2025-15633 is an improper authorization issue in HCL BigFix WebUI. According to the CVE description and HCL reference, an authenticated user without Master Operator privileges may access internal data such as site names, versions, and configuration variables through unprotected endpoints, bypassing intended privilege checks. The CVSS score is 5.3 (Medium).