Skip to main content

HCL DX Compose CVE-2026-21825

| EUVDEUVD-2026-34788 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-05 HCL GHSA-26cp-fff5-jqv5
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 07:20 vuln.today

DescriptionNVD

HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center.  An attacker could execute arbitrary JavaScript in the victim's browser.

AnalysisAI

Reflected cross-site scripting in HCL Digital Experience Compose's search center allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session. The CVSS Scope:Changed rating reflects that the injected script executes outside the originating application's security domain, enabling session hijacking, credential harvesting, or malicious UI redirection against authenticated portal users. No public exploit code and no active exploitation have been identified at time of analysis, though the low attack complexity and absence of privilege requirements make it trivially deliverable via phishing.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: the search center component of HCL Digital Experience Compose reflects attacker-supplied input directly into the HTTP response without sufficient output encoding or sanitization. This is a classic reflected (non-persistent) XSS pattern - the malicious payload travels in the request, is mirrored in the response, and executes immediately in the victim's browser. The CVSS Scope:Changed attribute is significant for an XSS vulnerability: it indicates the injected script can affect resources beyond the vulnerable application's own origin, consistent with cross-origin actions such as cookie theft or redirection. The affected product is identified by CPE cpe:2.3:a:hclsoftware:dx_compose:*:*:*:*:*:*:*:*, where the wildcard version field indicates the full version range is not bounded in available NVD data.

RemediationAI

Consult the HCL Software advisory KB0130849 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130849 for vendor-issued patches; the exact fixed version is not confirmed in currently available public data and must be obtained directly from HCL support. As a compensating control pending patching, organizations can restrict access to the DX Compose search center via web application firewall rules that sanitize or block reflected input in search query parameters - note this may degrade search functionality. Additionally, enforcing Content Security Policy (CSP) headers on DX Compose responses can limit the impact of script injection by restricting allowed script sources, though CSP alone does not eliminate the vulnerability.

Share

CVE-2026-21825 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy