CVE-2026-21788
Received
Received - Intake
Cross-Site Scripting in HCL Connections Enables Account Hijacking
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: HCL Software
Description
Description
HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code.Β This may allow the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hcltech | connections | 8.0 |
| hcltech | connections | 8.0 |
| hcltech | connections | 8.0 |
| hcltech | connections | 8.0 |
| hcltech | connections | 8.0 |
| hcltech | connections | 8.0 |
| hcltech | connections | 8.0 |
| hcltech | connections | 8.0 |
| hcltech | connections | 8.0 |
| hcltech | connections | 8.0 |
| hcltech | connections | 8.0 |
| hcltech | connections | 8.0 |
| hcltech | connections | 8.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
