Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center. An attacker could execute arbitrary JavaScript in the victim's browser.
AnalysisAI
Reflected cross-site scripting in HCL Digital Experience Compose's search center allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session. The CVSS Scope:Changed rating reflects that the injected script executes outside the originating application's security domain, enabling session hijacking, credential harvesting, or malicious UI redirection against authenticated portal users. No public exploit code and no active exploitation have been identified at time of analysis, though the low attack complexity and absence of privilege requirements make it trivially deliverable via phishing.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: the search center component of HCL Digital Experience Compose reflects attacker-supplied input directly into the HTTP response without sufficient output encoding or sanitization. This is a classic reflected (non-persistent) XSS pattern - the malicious payload travels in the request, is mirrored in the response, and executes immediately in the victim's browser. The CVSS Scope:Changed attribute is significant for an XSS vulnerability: it indicates the injected script can affect resources beyond the vulnerable application's own origin, consistent with cross-origin actions such as cookie theft or redirection. The affected product is identified by CPE cpe:2.3:a:hclsoftware:dx_compose:*:*:*:*:*:*:*:*, where the wildcard version field indicates the full version range is not bounded in available NVD data.
RemediationAI
Consult the HCL Software advisory KB0130849 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130849 for vendor-issued patches; the exact fixed version is not confirmed in currently available public data and must be obtained directly from HCL support. As a compensating control pending patching, organizations can restrict access to the DX Compose search center via web application firewall rules that sanitize or block reflected input in search query parameters - note this may degrade search functionality. Additionally, enforcing Content Security Policy (CSP) headers on DX Compose responses can limit the impact of script injection by restricting allowed script sources, though CSP alone does not eliminate the vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34788
GHSA-26cp-fff5-jqv5