(Image: Photon photo/Shutterstock.com). A security patch closes a vulnerability in HCL BigFix SCM Reporting. It can lead to the execution of malicious code. Because support for the jQuery-1.x library implemented in HCL BigFix SCM Reporting has ended, the software no longer receives security updates and a recently discovered security vulnerability remains unpatched. Now the HCL BigFix developers have removed the component. Via HCL BigFix, administrators manage endpoints. SCM Reporting provides analysis data for managed PCs in this context, among other things. The Vulnerability. According to a warning notice [1], the security vulnerability (CVE-2026-21821) is classified with a threat level of “high”. According to the brief description, attackers should be able to exploit it for XSS attacks, which could lead to the execution of malicious code. To prevent attacks, administrators must install version 168 in the SCM Reporting settings. So far, there are no reports that attackers have already exploited the vulnerability. Administrators of HCL BigFix must currently update software more frequently: at the end of April, the manufacturer corrected faulty access controls in HCL BigFix Service Management [2] with a fresh software version. (des [4]). URL of this article:. https://www.heise.de/-11296751. Links in this article:. https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130744. https://www.heise.de/news/Patch-richtet-fehlerhafte-Zugriffskontrolle-in-HCL-BigFix-Service-Management-11270913.html. https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp. mailto:des@heise.de. Copyright © 2026 Heise Medien
heise security News