Description
HCL ZIE for Web is affetced by an Unrestricted File Upload vulnerability, If the server is configured to execute code, then it may be possible to obtain command execution on the server by uploading a file known as a web shell, which allows you to execute arbitrary code or operating system commands. For this attack to be successful, the file needs to be uploaded inside the Webroot, and the server must be configured to execute the code
Published: 2026-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unrestricted file upload flaw exists in HCL ZIE for Web that allows an attacker to place arbitrary files in the webroot. If the server is configured to execute uploaded code, the attacker can upload a file such as a web shell and run arbitrary commands. This vulnerability is linked to the weakness of inadequate input validation (CWE-209). The impact is that a successful upload can lead to execution of malicious code on the server, compromising confidentiality, integrity, and potentially availability of the affected system.

Affected Systems

All installations of HCL Software ZIE for Web are potentially affected, particularly those that permit uploaded files to be executed within the webroot. No specific version details are provided; the vulnerability applies to any affected deployment where code execution is enabled for uploaded content.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk level. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the file to be uploaded to a location that the web server treats as executable. If the server is not configured to execute uploaded code, the attack vector is ineffective. Therefore, the primary risk lies in environments where execution permissions are granted to upload directories. While the vulnerability does not guarantee immediate remote code execution without proper configuration, it is a valid concern for improperly secured installations.

Generated by OpenCVE AI on June 18, 2026 at 11:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest HCL ZIE for Web patch or upgrade to a version that removes the unrestricted upload functionality.
  • Reconfigure the web server to deny execution of files in the upload or webroot directories, ensuring that only static content can be executed.
  • Implement strict file type validation and size limits on upload endpoints, rejecting any files that do not match an allowed whitelist.

Generated by OpenCVE AI on June 18, 2026 at 11:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech zie For Web
Vendors & Products Hcltech
Hcltech zie For Web

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description HCL ZIE for Web is affetced by an Unrestricted File Upload vulnerability, If the server is configured to execute code, then it may be possible to obtain command execution on the server by uploading a file known as a web shell, which allows you to execute arbitrary code or operating system commands. For this attack to be successful, the file needs to be uploaded inside the Webroot, and the server must be configured to execute the code
Title HCL ZIE for Web is affetced by an Unrestricted File Upload vulnerability,
Weaknesses CWE-209
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Hcltech Zie For Web
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-06-17T15:03:38.035Z

Reserved: 2025-09-22T15:00:11.104Z

Link: CVE-2025-59872

cve-icon Vulnrichment

Updated: 2026-06-17T15:03:33.809Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:48Z

Weaknesses
  • CWE-209

    Generation of Error Message Containing Sensitive Information