CVE-2025-62320 MEDIUM

CVE-2025-62320: HTML Injection Leading to Data Exfiltration to External Server vulnerability affects HCL Unica Platform

Vendor Hcl
Product Sametime
Weakness CWE-79 · XSS
Published March 17, 2026
Last update March 17, 2026
View on NVD All CVEs

CVSS base score

4.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external resources included in that HTML, which can cause unexpected requests from the user’s browser.

Key dates

02Disclosure timeline

March 17, 2026 CVE published
March 17, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-58834 WordPress short.io Plugin <= 2.4.2 - Cross Site Scripting (XSS) Vulnerability CVE-2024-38686 WordPress FancyPost plugin <= 5.3.1 - Cross Site Scripting (XSS) vulnerability CVE-2024-47368 WordPress Premium Blocks plugin <= 2.1.33 - Cross Site Scripting (XSS) vulnerability CVE-2025-13627 Makesweat <= 0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'makesweat_clubid' Setting CVE-2021-24128 Team Members < 5.0.4 - Authenticated Stored Cross-Site Scripting (XSS)