CVE-2026-21837 PUBLISHED

HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API

Assigner: HCL
Reserved: 05.01.2026 Published: 05.06.2026 Updated: 05.06.2026

HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	HCLSoftware
Product	Digital Experience
Versions	Default: unaffected Version 9.5 is affected

References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130849

Problem Types

CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection') CWE