Skip to main content

HCL DFXAnalytics CVE-2026-56456

| EUVDEUVD-2026-44924 MEDIUM
Information Exposure (CWE-200)
2026-07-16 HCL GHSA-493w-xg7v-8gmv
5.3
CVSS 3.1 · Vendor: HCL
Share

Severity by source

Vendor (HCL) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible dashboard requires no authentication (PR:N, AV:N); disclosure yields only file path enumeration with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (HCL).

CVSS VectorVendor: HCL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 16, 2026 - 14:16 vuln.today

DescriptionCVE.org

HCL DFXAnalytics is affected by an Internal File Path Disclosure vulnerability. The application dashboard inadvertently leaks sensitive information regarding its internal file structure and directory paths through unhandled error messages, system logs, or debugging output, which could allow a remote attacker to map the underlying server environment and identify targets for further exploitation.

AnalysisAI

HCL DFXAnalytics exposes internal file system paths and directory structure through unhandled error messages, system logs, or debugging output rendered by the application dashboard. All versions are affected per the wildcard CPE, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms unauthenticated remote attackers can trivially trigger and read this disclosure with no special configuration. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access DFXAnalytics dashboard unauthenticated
Delivery
Send malformed or error-inducing HTTP request
Exploit
Read file paths from unhandled error response
Execution
Map internal server directory structure
Impact
Identify targets for follow-on exploitation

Vulnerability AssessmentAI

Exploitation No special conditions are required for initial access - CVSS AV:N/AC:L/PR:N/UI:N/S:U confirms the DFXAnalytics dashboard is network-accessible without authentication, and triggering the disclosure requires only low-complexity interaction (malformed or error-inducing requests). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 Medium score is proportionate: AV:N/AC:L/PR:N/UI:N means the flaw is trivially reachable by any unauthenticated remote attacker, but impact is bounded to C:L with no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends a series of malformed or boundary-case HTTP requests to the HCL DFXAnalytics dashboard, deliberately triggering unhandled error conditions. The application returns verbose error messages or debug output containing absolute file system paths, log file locations, and internal directory structure. …
Remediation Consult HCL Software knowledge base article KB0131787 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131787 for the vendor-recommended patch or configuration fix; an exact patched version number is not confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-56455 HIGH
7.5 Jul 16

Denial of service in HCL DFXAnalytics version 3.0 and below allows remote unauthenticated attackers to crash or hang the

CVE-2026-56454 HIGH
7.5 Jul 16

Cleartext-adjacent data exposure in HCL DFXAnalytics (version 3.0 and below) stems from continued support for the deprec

CVE-2026-56453 CRITICAL
9.8 Jul 16

Account takeover in HCL DFXAnalytics version 3.0 and below allows a remote attacker to intercept and alter server HTTP r

CVE-2026-35143 MEDIUM
6.5 Jul 16

Cross-Site Request Forgery exposure in HCL DFXAnalytics arises because session cookies generated during authentication a

CVE-2026-35141 MEDIUM
5.3 Jul 16

Login replay vulnerability in HCL DFXAnalytics enables a remote attacker in a man-in-the-middle network position to capt

CVE-2025-31970 MEDIUM
5.3 May 06

HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling

CVE-2026-35140 HIGH
7.2 Jul 16

Session cookie exposure in HCL DFXAnalytics (version 3.0 and below) occurs because authentication-generated cookies are

CVE-2026-35142 HIGH
8.2 Jul 16

Internal IP address disclosure in HCL DFXAnalytics (version 3.0 and below) exposes internal network topology data embedd

CVE-2025-59851 LOW
3.7 May 06

HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers w

CVE-2025-59852 LOW
3.7 May 06

HCL DFXAnalytics transmits sensitive data over the network without encryption, allowing network-positioned attackers to

CVE-2025-59866 LOW
3.3 Jul 17

Insecure file permissions on the HCL DFMPro (for CATIA), DFXAnalytics, and DFXServer installer executables allow any loc

CVE-2026-35145 LOW
3.1 Jul 16

Missing HSTS header in HCL DFXAnalytics exposes authenticated sessions to protocol downgrade and man-in-the-middle attac

Share

CVE-2026-56456 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy