CVE-2026-21788

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may allow the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129107	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hcltech:connections:8.0:-::::::
	cpe:2.3:a:hcltech:connections:8.0:cumulative_release1::::::
	cpe:2.3:a:hcltech:connections:8.0:cumulative_release10::::::
	cpe:2.3:a:hcltech:connections:8.0:cumulative_release11::::::
	cpe:2.3:a:hcltech:connections:8.0:cumulative_release12::::::
	cpe:2.3:a:hcltech:connections:8.0:cumulative_release2::::::
	cpe:2.3:a:hcltech:connections:8.0:cumulative_release3::::::
	cpe:2.3:a:hcltech:connections:8.0:cumulative_release4::::::
	cpe:2.3:a:hcltech:connections:8.0:cumulative_release5::::::
	cpe:2.3:a:hcltech:connections:8.0:cumulative_release6::::::
	cpe:2.3:a:hcltech:connections:8.0:cumulative_release7::::::
	cpe:2.3:a:hcltech:connections:8.0:cumulative_release8::::::
	cpe:2.3:a:hcltech:connections:8.0:cumulative_release9::::::

History

No history.

Information

Published : 2026-03-19 09:16

Updated : 2026-03-19 18:42

NVD link : CVE-2026-21788

Mitre link : CVE-2026-21788

CVE.ORG link : CVE-2026-21788

JSON object : View

Products Affected

hcltech

connections

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-21788", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@hcl.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-03-19T09:16:16.950", "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129107", "tags": ["Vendor Advisory"], "source": "psirt@hcl.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@hcl.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code.\u00a0 This may allow the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks."}, {"lang": "es", "value": "HCL Connections es vulnerable a un ataque de cross-site scripting donde un atacante puede aprovechar este problema para ejecutar c\u00f3digo de script arbitrario en el navegador de un usuario desprevenido, lo que lleva a la ejecuci\u00f3n de c\u00f3digo de script malicioso. Esto puede permitir al atacante robar credenciales de autenticaci\u00f3n basadas en cookies y comprometer la cuenta del usuario para luego lanzar otros ataques."}], "lastModified": "2026-03-19T18:42:41.013", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:connections:8.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "65CA8438-B6A6-4B36-826D-8625AACBC8FE"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:cumulative_release1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF707A30-B342-43F2-A390-60E8FA8384D5"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:cumulative_release10:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "718ED7EC-3899-448D-B661-39463F5F71D2"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:cumulative_release11:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FFA414A1-C353-427F-B4EC-ED5BFC13EAF9"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:cumulative_release12:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A5A7E4B-9BDE-432E-8FAB-7CD8F1A2A81A"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:cumulative_release2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "294AE19B-3678-49C3-8613-A9331C5C1481"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:cumulative_release3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "773D1288-DF28-43F3-9517-B176DD840A8C"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:cumulative_release4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7FCB8E35-3FFA-42FA-8AEB-A2DD22D809C9"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:cumulative_release5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8948C358-B168-45E3-BC9F-E5DA4DD56203"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:cumulative_release6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6879F00-1C87-44A6-83DF-A1DC80A85A88"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:cumulative_release7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28450E88-8377-4B0D-9383-B34C9EF28CC9"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:cumulative_release8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13C3274C-0784-4C88-9A2D-D7AAE3D9FC2E"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:cumulative_release9:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3848284-F133-4B35-AC04-9E4FFB17EDF8"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@hcl.com"}