Skip to main content

HCL BigFix SCM Reporting EUVDEUVD-2026-30155

| CVE-2026-21821 HIGH
Use of Unmaintained Third Party Components (CWE-1104)
2026-05-13 HCL GHSA-246p-fh28-56r9
8.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 08:40 vuln.today

DescriptionCVE.org

The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses and increase the risk of client-side attacks such as Cross-Site Scripting (XSS) or manipulation through vulnerable third-party components.

AnalysisAI

Use of an end-of-life jQuery 1.x library in HCL BigFix SCM Reporting 11.0.5 exposes the management console to client-side attacks, including DOM-based XSS, inherited from publicly known unpatched flaws in the dependency. With no public exploit identified at time of analysis and a very low EPSS score (0.04%), the CVSS 8.3 rating reflects high theoretical impact rather than confirmed in-the-wild abuse, though successful exploitation requires user interaction with a crafted resource.

Technical ContextAI

The vulnerability falls under CWE-1104 (Use of Unmaintained Third Party Components). HCL BigFix SCM Reporting - the Security Configuration Management reporting site within the BigFix endpoint management platform - bundles jQuery 1.x, a major version line whose final release (1.12.4) shipped in 2016 and which the jQuery Foundation no longer issues security patches for. Known jQuery 1.x weaknesses include prototype pollution and DOM XSS sinks in $.parseHTML, $.extend, and selectors that interpret untrusted strings as HTML (CVE-2015-9251, CVE-2019-11358, CVE-2020-11022/11023). Because BigFix SCM Reporting is a browser-based administrative console used by operators reviewing endpoint compliance data, any DOM sink reachable through report parameters, query strings, or rendered endpoint data inherits these weaknesses.

RemediationAI

Patch status is not confirmed from the available data - consult the HCL knowledge base article at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130744 for the fixed BigFix SCM Reporting build, which is expected to upgrade the bundled jQuery to a supported 3.x release. Until the patched build is applied, restrict access to the SCM Reporting site to a trusted management VLAN or jump-host network and require operators to authenticate through SSO with short session timeouts to shrink the UI:R exposure window; trade-off is reduced convenience for distributed administrators. Where feasible, deploy a strict Content Security Policy on the reporting site to constrain inline script and untrusted HTML rendering, accepting that aggressive CSP may break legacy report widgets and require tuning.

Share

EUVD-2026-30155 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy