Skip to main content

Traveler EUVD-2026-14986

| CVE-2026-21783 MEDIUM
Error Message Information Leak (CWE-209)
2026-03-24 HCL GHSA-w3p4-547j-v9cv
Information Disclosure Traveler
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
14.5.1.0
EUVD ID Assigned
Mar 24, 2026 - 20:00 euvd
EUVD-2026-14986
Analysis Generated
Mar 24, 2026 - 20:00 vuln.today
CVE Published
Mar 24, 2026 - 19:48 nvd
MEDIUM 4.3

DescriptionCVE.org

HCL Traveler is affected by sensitive information disclosure.  The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces.  Attackers could exploit this information to gain insights into the system's architecture and potentially launch targeted attacks.

AnalysisAI

HCL Traveler contains a sensitive information disclosure vulnerability where error messages expose internal system details including file paths, tokens, credentials, and stack traces. This affects all versions of HCL Traveler as indicated by the CPE string, and requires authenticated access (PR:L) to exploit but can be leveraged by low-privilege users to reconnaissance the application architecture for follow-up attacks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N indicates low real-world exploitability constraints: the vulnerability requires network access but is not particularly complex to trigger, demands low privileges (authenticated user), and produces no UI interaction requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid Traveler credentials (perhaps obtained through credential stuffing or a phished account) logs in and intentionally triggers error conditions by submitting malformed requests or accessing restricted resources. The application returns detailed error messages revealing internal API endpoint structure, backend database names, Java framework versions, and authentication token formats. …
Remediation HCL Software has released patches to address this vulnerability; organizations should immediately consult https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129139 to identify the patched version for their Traveler release line and apply it. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-14986 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy