Description
The compose-rich-editor library (v1.0.0-rc14) used in HCL Verse for Android's rich text email composition fails to properly validate all HTML input thereby allowing malicious content to be executed in certain situations.
Published: 2026-06-19
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The compose-rich-editor library used by HCL Verse for Android fails to properly validate all HTML input, creating an injection vulnerability (CWE-20) that can lead to the execution of malicious content (CWE-79). An attacker could craft a specially crafted email or message that, when rendered or edited, carries malicious code that is executed within the context of the application. This could potentially result in disclosure of sensitive data or unauthorized actions performed under the user's credentials.

Affected Systems

HCLSoftware’s Verse for Android, version that includes compose‑rich‑editor v1.0.0‑rc14, is the only affected product. No other versions are listed as affected.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity risk. The EPSS score is currently unavailable, so the likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through a crafted email or message that is opened or edited by a user within the application, so the threat requires user interaction or social engineering.

Generated by OpenCVE AI on June 19, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HCL Verse for Android to a version that includes the fixed compose‑rich‑editor library, ensuring the vulnerability is patched.
  • If an upgrade is not immediately possible, disable HTML rendering or enforce strict input validation in the rich text editor to prevent injection of malicious code.
  • Monitor HCL Software security advisories and apply any subsequent updates promptly to mitigate emerging threats.

Generated by OpenCVE AI on June 19, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description The compose-rich-editor library (v1.0.0-rc14) used in HCL Verse for Android's rich text email composition fails to properly validate all HTML input thereby allowing malicious content to be executed in certain situations.
Title HCL Verse for Android is susceptible to an injection vulnerability
Weaknesses CWE-20
CWE-79
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-06-19T14:50:02.931Z

Reserved: 2026-01-05T16:07:58.367Z

Link: CVE-2026-21768

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:00:04Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')