CVE-2025-62317
published 2026-05-14CVE-2025-62317: HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters. Passing sensitive data in URLs may expose it through…
PriorityP48low2.6CVSS 3.1
AVAACHPRLUIRSCCLINAN
EPSS
0.11%
1.9th percentile
HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters. Passing sensitive data in URLs may expose it through browser history, logs, or intermediary systems, potentially leading to unintended information disclosure under certain conditions.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hcl | aion | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-63f7-76jf-xf93: HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters
ghsa_unreviewed·2026-05-14
CVE-2025-62317 [LOW] CWE-598 GHSA-63f7-76jf-xf93: HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters
HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters. Passing sensitive data in URLs may expose it through browser history, logs, or intermediary systems, potentially leading to unintended information disclosure under certain conditions.
VulDB
HCL AION 2.1.0 URL Parameter get request method with sensitive query strings (KB0130636)
vuldb·2026-05-14·CVSS 2.6
CVE-2025-62317 [LOW] HCL AION 2.1.0 URL Parameter get request method with sensitive query strings (KB0130636)
A vulnerability, which was classified as problematic, has been found in HCL AION 2.1.0. This issue affects some unknown processing of the component URL Parameter Handler. The manipulation leads to use of get request method with sensitive query strings.
This vulnerability is uniquely identified as CVE-2025-62317. The attack is possible to be carried out remotely. No exploit exists.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published