Skip to main content

HCL DFXAnalytics CVE-2026-35145

| EUVDEUVD-2026-44920 LOW
Information Exposure (CWE-200)
2026-07-16 HCL
3.1
CVSS 3.1 · Vendor: HCL

Severity by source

Vendor (HCL) PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.2 MEDIUM

MitM downgrade requires network positioning (AC:H) and victim browsing action (UI:R), but no attacker privileges; confidentiality rated L because cleartext interception exposes session data.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (HCL).

CVSS VectorVendor: HCL

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 16, 2026 - 13:47 vuln.today

DescriptionCVE.org

HCL DFXAnalytics is affected by a Missing HTTP Strict-Transport-Security Header vulnerability. The application fails to implement the HTTP Strict Transport Security (HSTS) policy within its responses, which could allow a remote attacker to downgrade the communication channel to an unencrypted connection (HTTP) and conduct man-in-the-middle (MitM) attacks. To remediate this, the application must include the "Strict-Transport-Security" header in all web application responses.

AnalysisAI

Missing HSTS header in HCL DFXAnalytics exposes authenticated sessions to protocol downgrade and man-in-the-middle attacks by network-positioned adversaries. All versions per the CPE wildcard are affected, and the application fails to include the Strict-Transport-Security response header, leaving browsers without enforcement of HTTPS-only communication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain network-adjacent position
Delivery
ARP spoof or intercept victim traffic
Exploit
SSL-strip initial HTTP request
Execution
Relay cleartext HTTP to victim
Impact
Capture session tokens or modify responses

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to achieve a network-on-path position between the victim's browser and the HCL DFXAnalytics server - for example via ARP spoofing, rogue Wi-Fi access point, or BGP hijacking - which is the source of the AC:H rating. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 3.1 (Low) reflects the realistic difficulty of exploitation: AV:N confirms the attack surface is network-facing, but AC:H (high attack complexity) acknowledges that a network-adjacent or on-path position is required to conduct the downgrade, and PR:L indicates the vendor considers an authenticated context necessary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a network-adjacent position - such as on a shared corporate Wi-Fi segment or via ARP cache poisoning - intercepts a victim user's initial HTTP request to HCL DFXAnalytics before the browser can enforce HTTPS. The attacker uses an SSL-stripping tool to maintain a TLS connection upstream to the server while serving cleartext HTTP downstream to the victim, transparently proxying and reading or modifying application traffic including session cookies or submitted data. …
Remediation The primary remediation is to configure all HCL DFXAnalytics web application response handlers to emit the Strict-Transport-Security header, for example: Strict-Transport-Security: max-age=31536000; includeSubDomains. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-56454 MEDIUM
5.9 Jul 16

TLS protocol downgrade exposure in HCL DFXAnalytics allows network-positioned attackers to intercept and decrypt sensiti

CVE-2026-56453 MEDIUM
5.5 Jul 16

Account takeover through HTTP response manipulation in HCL DFXAnalytics enables a network-positioned attacker to interce

CVE-2025-31970 MEDIUM
5.3 May 06

HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling

CVE-2026-56456 MEDIUM
5.3 Jul 16

HCL DFXAnalytics exposes internal file system paths and directory structure through unhandled error messages, system log

CVE-2026-56455 MEDIUM
5.3 Jul 16

Stack-based buffer overflow in HCL DFXAnalytics allows remote unauthenticated attackers to crash or render the applicati

CVE-2025-59851 LOW
3.7 May 06

HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers w

CVE-2025-59852 LOW
3.7 May 06

HCL DFXAnalytics transmits sensitive data over the network without encryption, allowing network-positioned attackers to

CVE-2025-59854 LOW
3.1 May 06

HCL DFXAnalytics relies on the obsolete X-XSS-Protection security header instead of implementing a modern Content Securi

CVE-2025-59853 LOW
3.1 May 06

HCL DFXAnalytics exposes detailed stack traces in application responses due to improper error handling, allowing authent

CVE-2026-35143 LOW
3.0 Jul 16

Cross-Site Request Forgery exposure in HCL DFXAnalytics arises because session cookies generated during authentication a

CVE-2026-35140 LOW
3.0 Jul 16

HCL DFXAnalytics fails to set the 'secure' attribute on session cookies generated during authentication, enabling a netw

CVE-2026-35142 LOW
2.6 Jul 16

Internal IP address exposure in HCL DFXAnalytics allows remote attackers who have obtained high-privilege authenticated

Share

CVE-2026-35145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy