Skip to main content

Dfxserver

4 CVEs product

Monthly

CVE-2026-35147 HIGH This Week

Authentication bypass in HCL DFXServer allows remote unauthenticated attackers to reach specific API endpoints directly and perform unauthorized actions without valid credentials, because the application never verifies authentication status on those routes. The primary impact is high confidentiality exposure with limited integrity impact (CVSS 8.2), and the flaw was self-reported by HCL. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Dfxserver
NVD VulDB
CVSS 3.1
8.2
CVE-2026-35149 HIGH This Week

Authentication bypass in HCL DFXServer lets an unauthenticated remote attacker intercept and tamper with the server's authentication responses to be granted access as a legitimate user without presenting valid credentials. Rated CVSS 8.2 (high) with CWE-294 (Authentication Bypass by Capture-replay), the flaw exposes confidential application data to any network-reachable attacker. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Dfxserver
NVD VulDB
CVSS 3.1
8.2
CVE-2026-35148 MEDIUM This Month

Unauthenticated API access in HCL DFXServer exposes application endpoints to any network-reachable user without identity verification. The missing access control allows interactions with protected functionality - including read and write operations - from a browser or client that holds no valid session or credentials. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS 6.3 medium score and PR:N vector confirm that authentication is not required to reach the affected endpoints.

Authentication Bypass Dfxserver
NVD VulDB
CVSS 3.1
6.3
CVE-2026-35146 MEDIUM This Month

HCL DFXServer permits client connections over plaintext HTTP, exposing all transmitted data to interception by any attacker with a man-in-the-middle position on the network path. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) confirms remote exploitation without authentication, contingent on a user initiating an HTTP session. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the risk is structurally inherent to any deployment where HTTP remains permitted alongside or instead of HTTPS.

Information Disclosure Dfxserver
NVD VulDB
CVSS 3.1
6.3
CVSS 8.2
HIGH This Week

Authentication bypass in HCL DFXServer allows remote unauthenticated attackers to reach specific API endpoints directly and perform unauthorized actions without valid credentials, because the application never verifies authentication status on those routes. The primary impact is high confidentiality exposure with limited integrity impact (CVSS 8.2), and the flaw was self-reported by HCL. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Dfxserver
NVD VulDB
CVSS 8.2
HIGH This Week

Authentication bypass in HCL DFXServer lets an unauthenticated remote attacker intercept and tamper with the server's authentication responses to be granted access as a legitimate user without presenting valid credentials. Rated CVSS 8.2 (high) with CWE-294 (Authentication Bypass by Capture-replay), the flaw exposes confidential application data to any network-reachable attacker. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Dfxserver
NVD VulDB
CVSS 6.3
MEDIUM This Month

Unauthenticated API access in HCL DFXServer exposes application endpoints to any network-reachable user without identity verification. The missing access control allows interactions with protected functionality - including read and write operations - from a browser or client that holds no valid session or credentials. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS 6.3 medium score and PR:N vector confirm that authentication is not required to reach the affected endpoints.

Authentication Bypass Dfxserver
NVD VulDB
CVSS 6.3
MEDIUM This Month

HCL DFXServer permits client connections over plaintext HTTP, exposing all transmitted data to interception by any attacker with a man-in-the-middle position on the network path. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) confirms remote exploitation without authentication, contingent on a user initiating an HTTP session. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the risk is structurally inherent to any deployment where HTTP remains permitted alongside or instead of HTTPS.

Information Disclosure Dfxserver
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy