Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
HTML payload is network-delivered via email, warranting AV:N; AC:H retained for non-trivial triggering; UI:R for mandatory victim interaction in compose view.
Primary rating from Vendor (HCL).
CVSS VectorVendor: HCL
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
The compose-rich-editor library (v1.0.0-rc14) used in HCL Verse for Android's rich text email composition fails to properly validate all HTML input thereby allowing malicious content to be executed in certain situations.
AnalysisAI
HTML injection in HCL Verse for Android's rich text email composition component enables malicious content execution on the local device. The compose-rich-editor library (v1.0.0-rc14) bundled with HCL Verse for Android fails to sanitize HTML input, allowing crafted content to execute in the composition context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim is using the HCL Verse for Android application and actively engages with the rich text email composition feature (AV:L/UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 6.3 (Medium) with vector AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N presents a moderate aggregate risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious HTML payload - for example, an inline script or a data-exfiltration iframe - and delivers it to a target user, perhaps embedded in a forwarded email or a shared document link that the user pastes into HCL Verse for Android's rich text composition window. When the victim interacts with the maliciously crafted content within the editor, the compose-rich-editor library fails to strip or escape the dangerous HTML, causing it to execute within the app's WebView context. … |
| Remediation | The primary remediation is to apply the patch or updated version of HCL Verse for Android as directed by HCL Software's advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130866. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38035
GHSA-95q3-4wgq-gv5r