Description
HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external resources included in that HTML, which can cause unexpected requests from the user’s browser.
Published: 2026-03-17
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration
Action: Patch
AI Analysis

Impact

The vulnerability is an HTML injection flaw caused by insufficient validation of user input in the HCL Sametime web application. An attacker can embed malicious HTML fragments that, when rendered by a victim’s browser, automatically load external resources such as images or scripts. These external requests can cause the browser to leak sensitive data to an attacker‑controlled server, resulting in potential data exfiltration. The weakness is categorized as CWE‑79, indicating an injection vulnerability that allows unintended content to be rendered on a web page.

Affected Systems

Affected systems include the HCL Sametime platform referenced in the CVE description. No specific version numbers are provided in the CNA data, so the vulnerability may affect all versions that exhibit the described input‑validation issue until a patch is released. Organizations should review their deployment to determine whether the affected components are in use.

Risk and Exploitability

The CVSS score of 4.7 places the vulnerability in the moderate range, and the lack of an EPSS score and absence from the KEV catalog suggest it is not a widely known or exploited issue at present. Exploitation requires a victim to load a page containing the injected HTML, implying a client‑side attack vector that can be performed by a user visiting a compromised site or by social engineering. Therefore, the risk is moderate, primarily limited to users who interact with the vulnerable web pages.

Generated by OpenCVE AI on March 17, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check HCL Software support portal for updates and apply any released patches as soon as possible.
  • Review all user‑supplied input fields in the web application and enforce proper sanitization or encoding to prevent HTML injection.
  • Consider deploying a Content Security Policy that restricts the domains from which the application can load external resources.

Generated by OpenCVE AI on March 17, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech sametime
Vendors & Products Hcltech
Hcltech sametime

Tue, 17 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Description HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external resources included in that HTML, which can cause unexpected requests from the user’s browser.
Title HTML Injection Leading to Data Exfiltration to External Server vulnerability affects HCL Unica Platform
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Hcltech Sametime
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-03-17T12:56:51.604Z

Reserved: 2025-10-10T09:04:19.898Z

Link: CVE-2025-62320

cve-icon Vulnrichment

Updated: 2026-03-17T12:56:48.535Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-17T13:16:16.503

Modified: 2026-03-17T14:20:01.670

Link: CVE-2025-62320

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:19Z

Weaknesses