Skip to main content

HCL DevOps Loop CVE-2026-21762

| EUVDEUVD-2026-45232 LOW
Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644)
2026-07-17 psirt@hcl.com
3.7
CVSS 3.1 · Vendor: hcl

Severity by source

Vendor (hcl) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.1 LOW

AC:H because exploitation requires chaining with a social-engineering step; UI:R because browser attacks like clickjacking require user interaction with a malicious page.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (hcl).

CVSS VectorVendor: hcl

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 17, 2026 - 17:32 vuln.today

DescriptionCVE.org

HCL DevOps Loop is affected by missing HTTP security headers. Missing security headers may reduce browser protections against common web-based attacks such as clickjacking, MIME-type sniffing, and cross-site scripting.

AnalysisAI

HCL DevOps Loop omits critical HTTP security response headers, degrading browser-enforced protections against clickjacking, MIME-type sniffing, and cross-site scripting for all users of the application. The absence of headers such as Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options does not introduce a standalone exploit path but removes a layer of defense-in-depth that browsers rely on to block client-side attack chains. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify HCL DevOps Loop instance
Delivery
Host malicious page embedding Loop in iframe or injecting script
Exploit
Victim user visits attacker-controlled page
Execution
Absent X-Frame-Options or CSP enables clickjacking or script execution
Impact
Exfiltrate limited session or credential data

Vulnerability AssessmentAI

Exploitation No authentication or special privilege is required to receive HTTP responses lacking security headers, as the headers are absent from all server responses by default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) classifies this as Low severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker wishing to perform clickjacking against HCL DevOps Loop users could host a transparent iframe embedding the application inside a malicious webpage, tricking authenticated users into performing unintended actions - feasible specifically because X-Frame-Options or a CSP frame-ancestors directive is absent. Separately, the lack of a Content-Security-Policy makes it easier to inject and execute malicious scripts if any XSS injection point exists elsewhere in the application. …
Remediation The primary remediation is to review and apply the guidance in HCL's knowledge base article KB0132296 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0132296, which may include a patched release or configuration update; an exact fix version is not confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-21762 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy