A recent SQL Injection flaw in HCL Aftermarket DPC permits unauthenticated or compromised users to embed malicious SQL statements into user supplied data. By exploiting the vulnerable input routine, an attacker can read arbitrary rows from the underlying database, potentially exposing customer records, product inventory, and other confidential information. The weakness corresponds to CWE-89: Improper Neutralization of Special Elements used in an SQL Statement. Additionally, the product's use of hard‑coded credentials (CWE-798) further lowers the barrier of entry once the injection is successful.

The affected product is HCL Aftermarket DPC, version 1.0.0, as identified by the vendor and reflected in the CPE string cpe:2.3:a:hcltech:aftermarket_cloud:1.0.0. No additional versions are listed, so only this release is known to be vulnerable.

The vulnerability has a CVSS score of 8.3, indicating a high severity level. Exploit probability data from EPSS is not available, and the flaw is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Because the description points to a SQL Injection, the most likely attack vector involves submitting crafted payloads through the application's web interface or API. Once the injection succeeds, an attacker could bypass normal authorization checks and gain full read access to the database. The impact spans confidentiality loss of sensitive data, and potential further exploitation if privileged credentials are also compromised.