Security Vulnerabilities
HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .
CVSS Score
7.1
EPSS Score
0.002
Published
2026-06-04
A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
CVSS Score
1.1
EPSS Score
0.001
Published
2026-06-04
A vulnerability has been found in Streamlit up to 1.53.0. Impacted is an unknown function in the library lib/streamlit/runtime/caching/hashing.py of the component Palette Handler. Such manipulation leads to use of weak hash. Local access is required to approach this attack. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
CVSS Score
1.1
EPSS Score
0.001
Published
2026-06-04
HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
CVSS Score
4.3
EPSS Score
0.002
Published
2026-06-04
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.
CVSS Score
3.1
EPSS Score
0.001
Published
2026-06-04
HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers.
CVSS Score
3.7
EPSS Score
0.002
Published
2026-06-04
The web administration panel binds broadly to the public IPv6 address space on port [::]:8080 without default firewall limits, making internal API endpoints reachable over the WAN.
CVSS Score
6.9
EPSS Score
0.002
Published
2026-06-04
The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database.
CVSS Score
8.8
EPSS Score
0.002
Published
2026-06-04
Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links.
CVSS Score
6.9
EPSS Score
0.002
Published
2026-06-04
The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans.
CVSS Score
9.3
EPSS Score
0.002
Published
2026-06-04