Description
HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API.  An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise.
Published: 2026-06-05
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection flaw in HCL Digital Experience’s Digital Asset Management API, allowing an attacker to execute arbitrary operating system commands with the privileges of that application. The flaw leads to potential system takeover and data compromise, as stated in the description. The weakness corresponds to CWE‑78, reflecting improper handling of user‑supplied input in a command‑execution context.

Affected Systems

HCL Digital Experience from HCLSoftware is affected. No specific version range is listed, so any installation that has not applied a patch may be vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. EPSS is not available, leaving the exact exploitation probability uncertain; however, the description implies remote exploitation through the exposed API, which is inferred as the attack vector. The vulnerability is not listed in the CISA KEV catalog. An attacker would likely craft malicious requests to the Digital Asset Management API to trigger arbitrary command execution and achieve full system compromise.

Generated by OpenCVE AI on June 5, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HCL Digital Experience patch that addresses the OS command injection flaw in the Digital Asset Management API.
  • Restrict the Digital Asset Management API to trusted users and systems by enforcing authentication and authorization controls.
  • Enforce strict input validation and sanitization on all API parameters to eliminate the possibility of command execution.
  • Monitor API usage and system logs for anomalous patterns or unexpected command execution to detect potential exploitation attempts.

Generated by OpenCVE AI on June 5, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech digital Experience
Vendors & Products Hcltech
Hcltech digital Experience

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API.  An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise.
Title HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hcltech Digital Experience
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-06-05T05:50:58.161Z

Reserved: 2026-01-05T16:08:25.000Z

Link: CVE-2026-21837

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T07:16:30.027

Modified: 2026-06-05T07:16:30.027

Link: CVE-2026-21837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T08:00:19Z

Weaknesses