What is the CVSS score of EUVD-2025-209850?

EUVD-2025-209850 has a CVSS 3.1 base score of 2.6 (Low). CVSS vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

HCL AION EUVD-2025-209850

| CVE-2025-62309 LOW

Insertion of Sensitive Information Into Sent Data (CWE-201)

2026-05-14 HCL

GHSA-g36x-vg49-93vr

Information Disclosure

2.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

May 14, 2026 - 17:32 vuln.today

CVE Published

May 14, 2026 - 16:10 nvd

LOW 2.6

DescriptionNVD

HCL AION is affected by a vulnerability where auto-complete functionality is enabled for certain input fields. This may allow sensitive information to be stored in the browser, potentially leading to unintended exposure under specific conditions.

AnalysisAI

HCL AION stores sensitive information in browser auto-complete caches for certain input fields, potentially exposing credentials or other sensitive data to local attackers or through browser history under specific conditions. The vulnerability requires adjacent network access, high interaction complexity, and local user privilege, limiting real-world exploitation scope but posing risk in shared or compromised workstations.

Technical ContextAI

The vulnerability stems from CWE-201 (Insertion of Sensitive Information into Sent Data), which occurs when web applications enable HTML5 autocomplete attributes on password, username, or other sensitive input fields. Browser auto-complete functionality is designed to cache form data for user convenience but can inadvertently persist credentials in plaintext browser storage (autocomplete cache or local storage) accessible to other local users, scripts, or through browser forensics. The affected product is HCL AION (all versions per CPE), a software platform by HCL Software. The flaw is a design/configuration issue rather than a memory safety or logic error - the application fails to explicitly disable autocomplete on sensitive fields via autocomplete='off' or equivalent mechanisms.

RemediationAI

Apply the security patch or upgrade provided by HCL Software via their support portal at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636 - consult the advisory for the specific fixed version. Pending patch deployment, disable auto-complete on sensitive input fields by adding autocomplete='off' or autocomplete='new-password' to HTML form elements handling credentials, secrets, or personally identifiable information. For browser-based deployments, configure the application server to enforce HTTP headers such as Cache-Control: no-store and Pragma: no-cache to reduce browser caching of sensitive pages. Educate end-users to avoid saving credentials in browser password managers for shared or untrusted workstations, and configure browsers to clear auto-complete cache on logout. Note that disabling autocomplete may degrade user experience for legitimate users but is essential in multi-user environments.

EUVD-2025-209850 vulnerability details – vuln.today

Back