PatchSiren

HCLSoftware CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM HCLSoftware CVE published 2026-06-27

CVE-2025-59868

CVE-2025-59868 is a sensitive data exposure vulnerability in HCL Traveler for Microsoft Outlook (HTMO). An attacker could exploit application information to then attempt additional attacks and cause unknown behavior in the application. The vulnerability has a CVSS score of 5.5 and a severity of MEDIUM. The CVE was published on June 27, 2026, and modified on June 29, 2026. Evidence is limited; further anal [truncated]

HIGH HCLSoftware CVE published 2026-06-27

CVE-2023-37524

CVE-2023-37524 is a high-severity vulnerability in HCL Traveler for Microsoft Outlook (HTMO) caused by its reliance on the outdated .NET Framework 4.5. This framework has reached end-of-life and no longer receives security updates, potentially exposing HTMO to known security weaknesses through vulnerable third-party components. The vulnerability has a CVSS score of 7.7 and is considered high severity. HCL [truncated]

MEDIUM HCLSoftware CVE published 2026-06-26

CVE-2024-23581

CVE-2024-23581 is a medium-severity vulnerability (CVSS score of 6.7) affecting HCL Traveler for Microsoft Outlook. The vulnerability was published on June 26, 2026, and last modified on June 29, 2026. The CVE record and NVD detail pages provide information on this vulnerability. According to the HCL Software support page, the issue involves libraries being flagged as potentially malicious software or an [truncated]

LOW HCLSoftware CVE published 2026-06-23

CVE-2025-15619

CVE-2025-15619 is a broken access control vulnerability in HCL Connections that may allow an unauthorized user to view data in a single specific scenario. The vulnerability has a CVSS score of 3.5 and a severity of LOW. The CVE was published on 2026-06-23T16:16:58.393Z and last modified on 2026-06-25T20:20:44.730Z. The vendor, HCL Software, has provided a reference for this vulnerability. However, details [truncated]

MEDIUM HCLSoftware CVE published 2026-06-19

CVE-2026-21768

CVE-2026-21768 is a medium-severity vulnerability (CVSS score of 6.3) affecting the compose-rich-editor library (version 1.0.0-rc14) used in HCL Verse for Android's rich text email composition. The library fails to properly validate all HTML input, allowing malicious content to be executed in certain situations. This issue primarily impacts Android users of HCL Verse who engage with rich text emails. The [truncated]

HIGH HCLSoftware CVE published 2026-06-05

CVE-2026-21837

CVE-2026-21837 is an OS command injection vulnerability in HCL Digital Experience's Digital Asset Management API. An attacker could execute arbitrary OS commands, potentially leading to a complete system takeover and data compromise. The vulnerability has a CVSS score of 8.7 and is considered HIGH severity.

MEDIUM HCLSoftware CVE published 2026-06-05

CVE-2026-21826

CVE-2026-21826 is a medium-severity vulnerability affecting HCL Digital Experience and HCL Digital Experience Compose. The vulnerability is caused by a Host header injection issue, which allows an attacker to manipulate the Host header and cause the application to behave in unexpected ways. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 6.1. The vulnerability was published [truncated]

MEDIUM HCLSoftware CVE published 2026-06-05

CVE-2026-21825

HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center. An attacker could execute arbitrary JavaScript in the victim's browser.

LOW HCLSoftware CVE published 2026-06-04

CVE-2025-62338

CVE-2025-62338 is a low-severity vulnerability in HCL BigFix Cloud Lifecycle Management. The issue is caused by a lack of input validation, which could allow unauthorized access and potentially lead to information exposure. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 3.3, indicating a low severity. The vulnerability was published on [cvePublishedAt](https://www.cve.org/C [truncated]

MEDIUM HCLSoftware CVE published 2026-05-27

CVE-2026-21785

A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources. The vulnerability was published on 2026-05-27 with a CVSS 3.1 score of 4.0 (MEDIUM severity). The attack vector is network-based with high attack [truncated]

MEDIUM HCLSoftware CVE published 2026-05-20

CVE-2026-21836

CVE-2026-21836 describes a broken access control issue in the HCL DominoIQ RAG feature. Under certain circumstances, document-level access restrictions can be ignored when the AI query engine decides what data to return, which could allow an authenticated attacker to see sensitive information. The issue was published on 2026-05-20 and is rated CVSS 6.5 (Medium) with confidentiality impact only. The availa [truncated]

MEDIUM HCLSoftware CVE published 2026-05-18

CVE-2026-21789

A broken access control vulnerability in HCL Connections may allow unauthorized users to update data under certain conditions. The vulnerability is classified as CWE-863 (Incorrect Authorization) and carries a CVSS 3.1 score of 4.6 (Medium severity). The attack vector is network-based with low attack complexity, requiring low privileges and user interaction. The vulnerability was published to the NVD on 2 [truncated]