Skip to main content

HCL DevOps Loop CVE-2026-21764

| EUVDEUVD-2026-45233 LOW
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-07-17 psirt@hcl.com GHSA-35w6-wm82-6c6f
3.1
CVSS 3.1 · Vendor: hcl

Severity by source

Vendor (hcl) PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.1 LOW

Network-accessible input validation flaw but requires authenticated access (PR:L), specific triggering conditions (AC:H), and yields only limited information disclosure (C:L); no integrity or availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (hcl).

CVSS VectorVendor: hcl

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 17, 2026 - 17:31 vuln.today

DescriptionCVE.org

HCL DevOps Loop is affected by insufficient input validation that allows special characters where they should be restricted. This may result in unintended application behavior under certain conditions.

AnalysisAI

Insufficient input validation in HCL DevOps Loop permits special characters in fields where they should be restricted, enabling authenticated network-accessible attackers under high-complexity conditions to trigger unintended application behavior resulting in limited information disclosure. The CVSS score of 3.1 (Low) reflects constrained real-world impact: exploitation requires prior authentication and specific conditions to materialize. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to HCL DevOps Loop with low-privilege account
Delivery
Identify input field lacking special-character restriction
Exploit
Craft payload with restricted special characters
Execution
Submit under conditions triggering unintended behavior
Impact
Receive limited sensitive information in application response

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with at least low-privilege access to HCL DevOps Loop (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The composite risk picture for this vulnerability is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with low privileges sends a crafted request containing special characters to an HCL DevOps Loop input field that lacks proper validation. Under the specific conditions required by the AC:H vector - likely a particular application state, configuration, or input combination - the application processes the malformed input through downstream logic and surfaces limited sensitive information in its response. …
Remediation Consult the HCL Software PSIRT advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0132296 (KB0132296) for the authoritative remediation guidance, including any patched version numbers. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-21764 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy