Description
HCL AION is affected by a vulnerability where auto-complete functionality is enabled for certain input fields. This may allow sensitive information to be stored in the browser, potentially leading to unintended exposure under specific conditions.
Published: 2026-05-14
Score: 2.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from auto‑complete functionality that is enabled for certain input fields within HCL AION. This behavior can cause sensitive information to be stored in the browser’s auto‑complete cache, which may be exposed to unintended users or processes if the data is later retrieved from the browser. The weakness is classified as CWE‑201, indicating an improper storage of confidential information within a device that could be read or copied by unauthorized parties. The overall impact is the potential disclosure of sensitive data, rather than code execution or denial of service.

Affected Systems

AION, a product of HCL software. No specific version information is provided, so the vulnerability may affect all releases until the vendor issues a patch or configuration fix. Users of HCL AION should consult the vendor’s advisory for exact version applicability.

Risk and Exploitability

The CVSS score of 2.6 places this issue in the low severity range. EPSS data is not available, so the probability of exploitation cannot be quantified, and the vulnerability has not been reported in the CISA KEV catalog. The likely attack vector involves a local or user‑level context: an authenticated user interacting with the application may cause data to be cached in their browser and subsequently accessed by other users or processes on the same machine. Even with low probability, the risk of leaking sensitive information warrants prompt remediation.

Generated by OpenCVE AI on May 14, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch or update released by HCL to disable auto‑complete on the affected input fields.
  • If a patch is unavailable or delayed, temporarily disable auto‑complete for the known vulnerable fields, either by configuring the application to prevent storage of data or by using a browser extension that blocks auto‑complete for these pages.
  • Educate users to avoid entering highly sensitive information in form fields that may trigger auto‑complete, and verify that the browser’s auto‑complete history does not retain such data after clearing the cache or history.

Generated by OpenCVE AI on May 14, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Hcl
Hcl aion
Vendors & Products Hcl
Hcl aion
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description HCL AION is affected by a vulnerability where auto-complete functionality is enabled for certain input fields. This may allow sensitive information to be stored in the browser, potentially leading to unintended exposure under specific conditions.
Title HCL AION is affected by a vulnerability where auto-complete functionality is enabled for certain input fields.
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 2.6, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Hcl Aion
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-14T18:30:54.675Z

Reserved: 2025-10-10T09:04:16.877Z

Link: CVE-2025-62309

cve-icon Vulnrichment

Updated: 2026-05-14T18:30:51.457Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T17:16:18.047

Modified: 2026-05-14T17:22:46.577

Link: CVE-2025-62309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T19:00:12Z

Weaknesses