Skip to main content

HCL Notes EUVDEUVD-2026-44706

| CVE-2026-9007 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-15 TCS-CERT GHSA-3fq3-hrxw-v9q9
5.5
CVSS 4.0 · Vendor: TCS-CERT
Share

Severity by source

Vendor (TCS-CERT) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-reachable reflected XSS with no attacker privileges; scope changes to victim browser; C:L/I:L reflects typical XSS session-theft impact without confirmed full takeover evidence.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Primary rating from Vendor (TCS-CERT).

CVSS VectorVendor: TCS-CERT

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 16:20 vuln.today
CVE Published
Jul 15, 2026 - 15:41 cve.org
MEDIUM 5.5

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in HCL Notes from HCL Software allows reflected

Cross-Site Scripting (XSS). Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of another user.

This issue affects HCL Notes: Release 12.0.2FP5HF8 on Linux 4.18.0-553.52.1.El8_10.X64_64#1.

AnalysisAI

Reflected cross-site scripting in HCL Notes 12.0.2FP5HF8 enables unauthenticated network attackers to inject and execute arbitrary JavaScript in the browser sessions of targeted users who interact with malicious links. The CVSS 4.0 vector (SC:H/SI:H/SA:H) signals high downstream impact on victim sessions - including potential session hijacking, credential theft, and unauthorized action execution within the Notes web environment. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify exposed HCL Notes web endpoint
Delivery
Craft URL with reflected XSS payload in vulnerable parameter
Exploit
Deliver malicious link to target user via phishing
Install
Victim clicks link, browser loads Notes web page
C2
Unsanitized input reflected in HTTP response
Execute
Arbitrary JavaScript executes in victim's Notes session context
Impact
Harvest session tokens or exfiltrate enterprise data

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be running HCL Notes Release 12.0.2FP5HF8 on Linux (RHEL 8.10, kernel 4.18.0-553.52.1.el8_10.x86_64) - other versions or platforms are not confirmed affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.5 accurately reflects a moderate-severity XSS: exploitation is network-accessible with no attacker privileges required (PR:N), but mandatory active victim interaction (UI:A) eliminates automated, wormable exploitation paths. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an HCL Notes Domino web endpoint that reflects a URL parameter or form field directly into the page response without encoding. The attacker constructs a URL embedding a JavaScript payload in the vulnerable parameter and delivers it to a targeted Notes user via a phishing email or malicious link. …
Remediation No vendor-released patch or specific fix version has been identified in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy