What is the CVSS score of CVE-2025-55270?

CVE-2025-55270 has a CVSS 3.1 base score of 3.5 (Low). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Aftermarket Dpc are affected by CVE-2025-55270?

CVE-2025-55270 is a low-severity vulnerability in HCL Aftermarket DPC involving input validation (CVSS 3.5).

How to fix or mitigate CVE-2025-55270?

During next maintenance window: Apply vendor patches when convenient. Verify input validation controls are in place.

Aftermarket Dpc CVE-2025-55270

EUVD-2025-209063 LOW

Improper Input Validation (CWE-20)

2026-03-26 HCL

GHSA-jhhm-rg4m-4qmm

XSS SQLi Command Injection Aftermarket Dpc

3.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 26, 2026 - 13:15 euvd

EUVD-2025-209063

Analysis Generated

Mar 26, 2026 - 13:15 vuln.today

CVE Published

Mar 26, 2026 - 12:59 nvd

LOW 3.5

DescriptionNVD

HCL Aftermarket DPC is affected by Improper Input Validation which allows an attacker to inject executable code and can carry out attacks such as XSS, SQL Injection, Command Injection etc.

AnalysisAI

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vectors including Cross-Site Scripting (XSS), SQL Injection, and Command Injection. Authenticated attackers can exploit this vulnerability to inject and execute arbitrary code within the application context. No public exploit code or active exploitation has been identified at time of analysis, and the moderate CVSS score of 3.5 reflects limited confidentiality impact with user interaction required.

Technical ContextAI

The vulnerability resides in HCL Aftermarket DPC (CPE: cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*), an aftermarket product management system. The root cause is classified as CWE-20 (Improper Input Validation), which indicates insufficient sanitization and validation of user-supplied input before processing. This failure permits multiple injection attack classes (XSS, SQL Injection, Command Injection) to succeed depending on how unsanitized input flows through different code paths-whether reflected in HTML responses, embedded in database queries, or passed to system commands. The vulnerability affects version 1.0.0 of the product and likely versions prior to any patched release.

RemediationAI

Consult the HCL support article (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793) for vendor-released patch availability and exact fix version number. Once a patched release is confirmed, upgrade HCL Aftermarket DPC to the latest available version. As interim mitigations pending patching, enforce strict input validation and output encoding at the application layer; restrict network access to Aftermarket DPC to authenticated internal users only; implement a Web Application Firewall (WAF) configured to block common XSS and SQL injection payloads; apply the principle of least privilege to database and system command execution contexts; and enable comprehensive audit logging of user inputs and code execution events.

CVE-2025-55270 vulnerability details – vuln.today

Back