CVE-2026-21826 PUBLISHED

HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection

Assigner: HCL
Reserved: 05.01.2026 Published: 05.06.2026 Updated: 05.06.2026

HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. An attacker can manipulate the Host header and cause the application to behave in unexpected ways.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 6.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	HCLSoftware
Product	Digital Experience & DX Compose
Versions	Default: unaffected Version 9.5 is affected

References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130849

Problem Types

CWE-601 URL redirection to untrusted site ('open redirect') CWE