CVE-2026-21826
6.1 MEDIUMHCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection
Published: 2026-06-05 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 6.1 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CWE
- CWE-601
Affected products
| Vendor | Product |
|---|---|
| hcltech | digital_experience, digital_experience_compose |
Description
HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. An attacker can manipulate the Host header and cause the application to behave in unexpected ways.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-21837 — HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API (8.8 HIGH)
- CVE-2026-21825 — HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center (6.1 MEDIUM)
- CVE-2025-52612 — HCL iControl was affected by Export CSV - CSV Injection vulnerability (7.1 HIGH)
- CVE-2025-52611 — HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability (3.1 LOW)
- CVE-2025-52609 — HCL iControl was affected by Missing Security Headers vulnerability (3.7 LOW)
Same CWE
- CVE-2026-46616 — Umbraco is an ASP.NET CMS (5.4 MEDIUM)
- CVE-2026-48856 — Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data
- CVE-2026-45566 — Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers (6.1 MEDIUM)
- CVE-2026-53440 — Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" secur... (4.3 MEDIUM)
- CVE-2026-53437 — Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenk... (4.3 MEDIUM)