Skip to main content

HCL Verse Android CVE-2026-21768

| EUVDEUVD-2026-38035 MEDIUM
Improper Input Validation (CWE-20)
2026-06-19 HCL GHSA-95q3-4wgq-gv5r
6.3
CVSS 3.1 · Vendor: HCL
Share

Severity by source

Vendor (HCL) PRIMARY
6.3 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
6.8 MEDIUM

HTML payload is network-delivered via email, warranting AV:N; AC:H retained for non-trivial triggering; UI:R for mandatory victim interaction in compose view.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (HCL).

CVSS VectorVendor: HCL

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 15:30 vuln.today
CVE Published
Jun 19, 2026 - 14:50 cve.org
MEDIUM 6.3

DescriptionCVE.org

The compose-rich-editor library (v1.0.0-rc14) used in HCL Verse for Android's rich text email composition fails to properly validate all HTML input thereby allowing malicious content to be executed in certain situations.

AnalysisAI

HTML injection in HCL Verse for Android's rich text email composition component enables malicious content execution on the local device. The compose-rich-editor library (v1.0.0-rc14) bundled with HCL Verse for Android fails to sanitize HTML input, allowing crafted content to execute in the composition context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver malicious HTML via email or clipboard
Delivery
Victim opens HCL Verse for Android compose view
Exploit
Victim interacts with crafted HTML content
Execution
compose-rich-editor fails to sanitize input
Persist
Malicious HTML executes in WebView context
Impact
Sensitive data disclosed or content integrity compromised

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim is using the HCL Verse for Android application and actively engages with the rich text email composition feature (AV:L/UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 6.3 (Medium) with vector AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N presents a moderate aggregate risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTML payload - for example, an inline script or a data-exfiltration iframe - and delivers it to a target user, perhaps embedded in a forwarded email or a shared document link that the user pastes into HCL Verse for Android's rich text composition window. When the victim interacts with the maliciously crafted content within the editor, the compose-rich-editor library fails to strip or escape the dangerous HTML, causing it to execute within the app's WebView context. …
Remediation The primary remediation is to apply the patch or updated version of HCL Verse for Android as directed by HCL Software's advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130866. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-21768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy