{"api_version":"1","generated_at":"2026-06-05T17:41:03+00:00","cve":"CVE-2026-21826","urls":{"html":"https://cve.report/CVE-2026-21826","api":"https://cve.report/api/cve/CVE-2026-21826.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-21826","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-21826"},"summary":{"title":"HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection","description":"HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection.  An attacker can manipulate the Host header and cause the application to behave in unexpected ways.","state":"PUBLISHED","assigner":"HCL","published_at":"2026-06-05 07:16:29","updated_at":"2026-06-05 16:05:36"},"problem_types":["CWE-601","CWE-601 CWE-601 URL redirection to untrusted site ('open redirect')"],"metrics":[{"version":"3.1","source":"psirt@hcl.com","type":"Secondary","score":"6.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"6.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130849","name":"https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130849","refsource":"psirt@hcl.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-21826","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21826","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"HCLSoftware","product":"Digital Experience & DX Compose","version":"affected 9.5","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Digital Experience & DX Compose","vendor":"HCLSoftware","versions":[{"status":"affected","version":"9.5"}]}],"datePublic":"2026-06-05T05:37:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection.  An attacker can manipulate the Host header and cause the application to behave in unexpected ways."}],"value":"HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection.  An attacker can manipulate the Host header and cause the application to behave in unexpected ways."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-601","description":"CWE-601 URL redirection to untrusted site ('open redirect')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-05T05:58:31.449Z","orgId":"1e47fe04-f25f-42fa-b674-36de2c5e3cfc","shortName":"HCL"},"references":[{"url":"https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130849"}],"source":{"discovery":"UNKNOWN"},"title":"HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection","x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"1e47fe04-f25f-42fa-b674-36de2c5e3cfc","assignerShortName":"HCL","cveId":"CVE-2026-21826","datePublished":"2026-06-05T05:58:31.449Z","dateReserved":"2026-01-05T16:08:22.255Z","dateUpdated":"2026-06-05T05:58:31.449Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-05 07:16:29","lastModifiedDate":"2026-06-05 16:05:36","problem_types":["CWE-601","CWE-601 CWE-601 URL redirection to untrusted site ('open redirect')"],"metrics":{"cvssMetricV31":[{"source":"psirt@hcl.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"21826","Ordinal":"1","Title":"HCL Digital Experience and HCL Digital Experience Compose could ","CVE":"CVE-2026-21826","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"21826","Ordinal":"1","NoteData":"HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection.  An attacker can manipulate the Host header and cause the application to behave in unexpected ways.","Type":"Description","Title":"HCL Digital Experience and HCL Digital Experience Compose could "}]}}}