Description
HCL Sametime is vulnerable to broken server-side validation. While the application performs client-side input checks, these are not enforced by the web server. An attacker can bypass these restrictions by sending manipulated HTTP requests directly to the server.
Published: 2026-03-17
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection via server‑side validation bypass
Action: Patch
AI Analysis

Impact

HCL Sametime contains a flaw where server‑side input validation is missing, allowing client‑side checks to be bypassed. An attacker can craft HTTP requests that reach the server unfiltered, leading to a boolean‑based SQL injection. This vulnerability may enable unauthorized execution of SQL commands, potentially exposing or altering sensitive data.

Affected Systems

The affected product is HCL Sametime. No specific version information is supplied in the CNA data. Administrators should review their deployment and consult the HCL support article referenced in the advisory to determine if they are impacted.

Risk and Exploitability

The CVSS score of 2.7 indicates low severity, and the EPSS score below 1% suggests a low probability of exploitation. Because the vulnerability is not listed in the CISA KEV catalog, no large‑scale compromises have been reported. However, the remote attacker can issue HTTP requests directly to the Sametime server to exploit the flaw. Patching remains the recommended action to eliminate this risk.

Generated by OpenCVE AI on April 1, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch or update indicated in the HCL support article (KB0124722).
  • Verify that server‑side input validation is enabled or configure the application to reject malformed inputs.
  • Deploy a web‑application firewall or input filtering to block suspicious requests until a patch is applied.
  • Enable logging and monitoring for anomalous HTTP traffic that may indicate exploitation attempts.
  • Keep the system updated with future HCL security releases.

Generated by OpenCVE AI on April 1, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hcltech:sametime:*:*:*:*:*:-:*:*

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech sametime
Vendors & Products Hcltech
Hcltech sametime

Tue, 17 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description HCL Sametime is vulnerable to broken server-side validation. While the application performs client-side input checks, these are not enforced by the web server. An attacker can bypass these restrictions by sending manipulated HTTP requests directly to the server.
Title Boolean-Based SQL Injection in Multiple Unica Components
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Hcltech Sametime
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-03-17T12:57:24.795Z

Reserved: 2025-04-01T18:46:23.152Z

Link: CVE-2025-31966

cve-icon Vulnrichment

Updated: 2026-03-17T12:57:22.096Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T12:16:12.337

Modified: 2026-03-31T21:06:04.083

Link: CVE-2025-31966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T08:00:06Z

Weaknesses