Description
HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.
Published: 2026-05-06
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HCL BigFix RunBookAI is affected by a flaw in input handling that can allow an attacker to inject or smuggle malicious commands. The vulnerability enables unauthorized command execution, giving the attacker control over the application and potentially the underlying system. The weakness is categorized by CWE-351, CWE-451, and CWE-77, indicating a failure to properly validate input, combined with a potential for command smuggling or injection.

Affected Systems

The affected product is HCL: BigFix RunBookAI. The publicly available data does not specify individual version numbers or build identifiers.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity and that the vulnerability could lead to full compromise of the affected system. EPSS data is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation yet. Based on the description, the potential attack vector likely requires that an attacker can input data into the vulnerable component, which may be possible through authenticated or unauthenticated interfaces. The lack of an explicit attack vector in the information means that the safest assumption is that the attacker can supply crafted input to trigger command execution.

Generated by OpenCVE AI on May 6, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HCL BigFix RunBookAI patch or upgrade to a version that addresses the command injection flaw.
  • Implement input validation or a whitelist of acceptable commands for the vulnerable component.
  • Deploy an application firewall or traffic monitoring solution to detect and block malicious command injection attempts.

Generated by OpenCVE AI on May 6, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.
Title HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability
Weaknesses CWE-351
CWE-451
CWE-77
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-06T12:19:46.443Z

Reserved: 2025-04-01T18:46:19.516Z

Link: CVE-2025-31951

cve-icon Vulnrichment

Updated: 2026-05-06T12:19:43.158Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:26.087

Modified: 2026-05-06T19:05:56.337

Link: CVE-2025-31951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T13:30:04Z

Weaknesses