What is CVE-2025-31951?

CVE-2025-31951 is a high-severity vulnerability in Hcl Bigfix Runbookai, classified under Command Injection. CVSS score: 8.8/10. Published 2026-05-06.

How severe is CVE-2025-31951?

High severity. CVSS v3 base score is 8.8 out of 10.

RCE in Hcl Bigfix Runbookai

CVE-2025-31951

HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.000 (11.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Hcl Bigfix Runbookai — versions 11.2

Weakness classification (CWE)

CWE-77 — Command Injection
CWE-351
CWE-451 — User Interface (UI) Misrepresentation of Critical Information

References

psirt@hcl.com

Frequently asked questions

What is CVE-2025-31951?: CVE-2025-31951 is a high-severity vulnerability in Hcl Bigfix Runbookai, classified under Command Injection. CVSS score: 8.8/10. Published 2026-05-06.
How severe is CVE-2025-31951?: High severity. CVSS v3 base score is 8.8 out of 10.