Skip to main content

HCL Digital Experience EUVDEUVD-2026-34786

| CVE-2026-21837 HIGH
OS Command Injection (CWE-78)
2026-06-05 HCL GHSA-89jh-pgw9-qrmm
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 05, 2026 - 09:20 vuln.today
CVSS changed
Jun 05, 2026 - 07:22 NVD
8.7 (HIGH)
CVE Published
Jun 05, 2026 - 05:50 nvd
UNKNOWN (no severity yet)

DescriptionNVD

HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API.  An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise.

AnalysisAI

OS command injection in HCL Digital Experience 9.5 allows authenticated remote attackers to execute arbitrary operating system commands through the Digital Asset Management API, inheriting the privileges of the application service account and potentially achieving full host takeover and data compromise. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact over a network vector with low attack complexity and only low privileges required, though no public exploit identified at time of analysis. The vulnerability was disclosed by the vendor (HCL) and is tracked in ENISA's EUVD as EUVD-2026-34786.

Technical ContextAI

HCL Digital Experience (formerly IBM WebSphere Portal / HCL DX) is an enterprise web experience and portal platform that includes a Digital Asset Management (DAM) subsystem for storing and serving media and document assets via REST APIs. The flaw is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-controlled input reaching the DAM API is passed into an OS-level command invocation (shell, exec, or similar) without adequate sanitization or argument separation. The affected CPE is cpe:2.3:a:hclsoftware:digital_experience:*:*:*:*:*:*:*:*, indicating the issue lies in the HCL-branded Digital Experience product line, with EUVD specifically naming version 9.5.

RemediationAI

Patch status not explicitly enumerated in the input; consult the HCL advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130849 for the exact cumulative fix (CF) level or interim fix that resolves the Digital Asset Management API command injection on Digital Experience 9.5, and apply it during the next maintenance window. As a compensating control until the fix is deployed, restrict network access to the DAM API endpoints behind the portal (typically under the /wps/mycontenthandler and DAM REST paths) so they are only reachable by trusted internal users - note this will break external DAM-driven content workflows and any headless integrations. Additionally, tighten the authorization model so that low-privileged portal users cannot reach DAM write/management operations (the PR:L vector implies any authenticated user is sufficient), and monitor application and OS process logs for unexpected shell, java.lang.Runtime, or ProcessBuilder invocations originating from the DX JVM, accepting the trade-off of increased log volume.

Share

EUVD-2026-34786 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy