Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable reflected XSS with no attacker privileges; scope changes to victim browser; C:L/I:L reflects typical XSS session-theft impact without confirmed full takeover evidence.
Primary rating from Vendor (TCS-CERT).
CVSS VectorVendor: TCS-CERT
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in HCL Notes from HCL Software allows reflected
Cross-Site Scripting (XSS). Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of another user.
This issue affects HCL Notes: Release 12.0.2FP5HF8 on Linux 4.18.0-553.52.1.El8_10.X64_64#1.
AnalysisAI
Reflected cross-site scripting in HCL Notes 12.0.2FP5HF8 enables unauthenticated network attackers to inject and execute arbitrary JavaScript in the browser sessions of targeted users who interact with malicious links. The CVSS 4.0 vector (SC:H/SI:H/SA:H) signals high downstream impact on victim sessions - including potential session hijacking, credential theft, and unauthorized action execution within the Notes web environment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be running HCL Notes Release 12.0.2FP5HF8 on Linux (RHEL 8.10, kernel 4.18.0-553.52.1.el8_10.x86_64) - other versions or platforms are not confirmed affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.5 accurately reflects a moderate-severity XSS: exploitation is network-accessible with no attacker privileges required (PR:N), but mandatory active victim interaction (UI:A) eliminates automated, wormable exploitation paths. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an HCL Notes Domino web endpoint that reflects a URL parameter or form field directly into the page response without encoding. The attacker constructs a URL embedding a JavaScript payload in the vulnerable parameter and delivers it to a targeted Notes user via a phishing email or malicious link. … |
| Remediation | No vendor-released patch or specific fix version has been identified in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44706
GHSA-3fq3-hrxw-v9q9