Description
The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses and increase the risk of client-side attacks such as Cross-Site Scripting (XSS) or manipulation through vulnerable third-party components.
Published: 2026-05-13
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from the use of an outdated jQuery 1.x library in the HCL BigFix SCM Reporting web application. End‑of‑life support means the library no longer receives security updates, exposing the application to publicly known weaknesses that can enable client‑side attacks such as Cross‑Site Scripting. The flaw is identified as CWE‑1104 and can lead to arbitrary script execution within a user’s browser context when malicious input is rendered.

Affected Systems

The affected product is HCL Software’s BigFix SCM Reporting web application. No specific vendor-specified version numbers are given, so any deployment that includes the bundled jQuery 1.x is considered at risk.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, and the EPSS score is not available while the vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation yet. Based on the description, the likely attack vector is the web interface where user input is rendered; an attacker may construct a payload that is executed in the user’s browser, leveraging the outdated library. Exploitation does not require server‑side privileges but depends on the presence of injectable or user‑controlled content served by the application.

Generated by OpenCVE AI on May 13, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace or upgrade the bundled jQuery 1.x with a current, actively maintained version, or remove it if not needed.
  • Implement a strict Content Security Policy that disallows inline scripts and limits script sources to trusted origins.
  • Validate, encode, or escape all user‑supplied data before rendering it in the application.

Generated by OpenCVE AI on May 13, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Hclsoftware
Hclsoftware bigfix Scm Reporting
Vendors & Products Hclsoftware
Hclsoftware bigfix Scm Reporting

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses and increase the risk of client-side attacks such as Cross-Site Scripting (XSS) or manipulation through vulnerable third-party components.
Title HCL BigFix SCM Reporting is affected by vulnerabilities in jQuery
Weaknesses CWE-1104
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Hclsoftware Bigfix Scm Reporting
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-14T12:47:46.358Z

Reserved: 2026-01-05T16:08:22.254Z

Link: CVE-2026-21821

cve-icon Vulnrichment

Updated: 2026-05-14T12:47:25.555Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T21:16:41.590

Modified: 2026-05-14T18:24:08.747

Link: CVE-2026-21821

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:35Z

Weaknesses