CVE-2026-21837
OS Command Injection in HCL Digital Experience
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: HCL Software
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hcl | digital_experience | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an OS command injection in the Digital Asset Management API of HCL Digital Experience. It allows an attacker to execute arbitrary operating system commands on the affected system.
The commands executed by the attacker typically inherit the privileges of the vulnerable application, which can lead to serious security issues.
How can this vulnerability impact me? :
Exploitation of this vulnerability could lead to a complete system takeover by the attacker.
It may also result in data compromise, as the attacker can execute arbitrary commands with the application's privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in HCL Digital Experience allows an attacker to execute arbitrary operating system commands, potentially leading to complete system takeover and data compromise.
Such a compromise of system integrity and data confidentiality could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system security.
However, the provided information does not explicitly describe the direct effects on compliance with these standards.