Cyber Resilience

CVE-2026-21821

High

Published: 13 May 2026

Published
13 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0021 11.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21821 is a high-severity Use of Unmaintained Third Party Components (CWE-1104) vulnerability in Hcl Software (inferred from references). Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses and…

more

increase the risk of client-side attacks such as Cross-Site Scripting (XSS) or manipulation through vulnerable third-party components.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Outdated jQuery enables XSS leading to drive-by compromise and client-side execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-3497Shared CWE-1104
CVE-2025-34192Shared CWE-1104
CVE-2026-41468Shared CWE-1104
CVE-2025-10220Shared CWE-1104
CVE-2025-12104Shared CWE-1104
CVE-2025-34193Shared CWE-1104

Affected Assets

Hcl Software
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-1104

Security groups frequently discuss maintenance status of third-party components, aiding identification and avoidance of unmaintained ones.

addresses: CWE-1104

Maintaining an accurate, reviewed inventory of all system components enables tracking of third-party software versions and maintenance status, reducing the risk of using unmaintained components.

addresses: CWE-1104

The maintenance policy requires regular updates and upkeep of systems and third-party components, directly reducing the presence of unmaintained software that attackers can exploit.

addresses: CWE-1104

Requiring quick access to maintenance support and spare parts after failure necessitates using actively supported components rather than unmaintained third-party ones.

addresses: CWE-1104

Contact with security communities directly informs personnel of unmaintained components and their vulnerabilities, reducing the likelihood of their continued use.

addresses: CWE-1104

Threat intelligence sharing directly informs organizations of newly discovered vulnerabilities and exploitation in third-party components, enabling timely updates or replacement before attackers can leverage them.

addresses: CWE-1104

Resource allocation in investment requests funds regular maintenance, patching, and updates of third-party components.

addresses: CWE-1104

Organization-wide SCRM policy includes ongoing evaluation of third-party component support lifecycles to avoid unmaintained dependencies.

References