Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise.
AnalysisAI
OS command injection in HCL Digital Experience 9.5 allows authenticated remote attackers to execute arbitrary operating system commands through the Digital Asset Management API, inheriting the privileges of the application service account and potentially achieving full host takeover and data compromise. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact over a network vector with low attack complexity and only low privileges required, though no public exploit identified at time of analysis. The vulnerability was disclosed by the vendor (HCL) and is tracked in ENISA's EUVD as EUVD-2026-34786.
Technical ContextAI
HCL Digital Experience (formerly IBM WebSphere Portal / HCL DX) is an enterprise web experience and portal platform that includes a Digital Asset Management (DAM) subsystem for storing and serving media and document assets via REST APIs. The flaw is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-controlled input reaching the DAM API is passed into an OS-level command invocation (shell, exec, or similar) without adequate sanitization or argument separation. The affected CPE is cpe:2.3:a:hclsoftware:digital_experience:*:*:*:*:*:*:*:*, indicating the issue lies in the HCL-branded Digital Experience product line, with EUVD specifically naming version 9.5.
RemediationAI
Patch status not explicitly enumerated in the input; consult the HCL advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130849 for the exact cumulative fix (CF) level or interim fix that resolves the Digital Asset Management API command injection on Digital Experience 9.5, and apply it during the next maintenance window. As a compensating control until the fix is deployed, restrict network access to the DAM API endpoints behind the portal (typically under the /wps/mycontenthandler and DAM REST paths) so they are only reachable by trusted internal users - note this will break external DAM-driven content workflows and any headless integrations. Additionally, tighten the authorization model so that low-privileged portal users cannot reach DAM write/management operations (the PR:L vector implies any authenticated user is sufficient), and monitor application and OS process logs for unexpected shell, java.lang.Runtime, or ProcessBuilder invocations originating from the DX JVM, accepting the trade-off of increased log volume.
More in Digital Experience
View allHCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which wo
HCL Digital Experience is susceptible to cross site scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerabilit
HCL Digital Experience 8.5, 9.0, 9.5 is susceptible to cross-site scripting (XSS). Rated medium severity (CVSS 6.1), thi
In HCL Digital Experience, customized XSS payload can be constructed such that it is served in the application unencoded
HCL Digital Experience is susceptible to cross site scripting (XSS) in an administrative UI with restricted access. Rate
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34786
GHSA-89jh-pgw9-qrmm