Description
HCL AION is affected by a vulnerability where untrusted file parsing operations are not executed within a properly isolated sandbox environment. This may expose the application to potential security risks, including unintended behaviour or integrity impact when processing specially crafted files.
Published: 2026-03-16
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Integrity impact from untrusted file parsing
Action: Assess Impact
AI Analysis

Impact

The vulnerability occurs because HCL AION parses untrusted files outside of a properly isolated sandbox. This flaw can be exploited by sending specially crafted files that may alter application state or data, leading to integrity violations. The CVSS score of 4.7 indicates a medium-low severity, and the description only references integrity impact without mentioning confidentiality or availability disruption.

Affected Systems

All versions of HCL AION are potentially affected; the CVE data does not specify particular release numbers. Administrators should assume that any installed instance of AION could be vulnerable until an official patch is released.

Risk and Exploitability

The EPSS score is less than 1%, suggesting that real-world exploitation is rare at this time. HCL AION is not listed in the CISA KEV catalog, which reinforces the low likelihood of widespread attacks. The attack vector is not explicitly documented; it is inferred that the flaw could be triggered by a local or network-based file ingestion service that accepts untrusted input. The overall risk is moderate, given the low EPSS but the potential for integrity compromise if the flaw is exploited.

Generated by OpenCVE AI on March 18, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether HCL AION has released an update or patch addressing this issue; apply it as soon as possible.
  • If no patch is available, restrict or disable the upload of untrusted files in the application or environment.
  • Sanitize and validate all incoming files to mitigate malformed data before processing.
  • Consider implementing a sandbox or separate process for file parsing to contain potential misuse.
  • Monitor the system for anomalous changes to data or logs that could indicate exploitation attempts.

Generated by OpenCVE AI on March 18, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hcltech:aion:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech aion
Vendors & Products Hcltech
Hcltech aion

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description HCL AION is affected by a vulnerability where untrusted file parsing operations are not executed within a properly isolated sandbox environment. This may expose the application to potential security risks, including unintended behaviour or integrity impact when processing specially crafted files.
Title HCL AION is affected by a vulnerability where untrusted file parsing operations are not executed within a properly isolated sandbox environment
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Hcltech Aion
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-03-16T18:42:46.429Z

Reserved: 2025-06-18T14:00:44.548Z

Link: CVE-2025-52643

cve-icon Vulnrichment

Updated: 2026-03-16T18:36:04.789Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T15:16:18.430

Modified: 2026-04-25T18:04:15.250

Link: CVE-2025-52643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:44:26Z

Weaknesses