Home
What's new in Version 9.1
What's new includes information about the major additions and changes to the features and functionality that are available with the latest iteration of HCL Commerce.
Non-applicable vulnerabilities
The HCL Commerce team has evaluated the following security vulnerabilities identified within the HCL Commerce stack and determined there is no impact to default deployments.

What's new in Version 9.1
What's new includes information about the major additions and changes to the features and functionality that are available with the latest iteration of HCL Commerce.
- Releases
  The following is a list of recent release update packages for HCL Commerce Version 9.1.
- Security bulletins
  HCL Commerce security bulletins detail vulnerabilities in HCL Commerce or its companion software, providing risk assessment information to help organizations gauge potential impact.
- Security fixes
  The following HCL Commerce releases contain security fixes for defects that are considered to be security vulnerabilities. The following details provide security risk assessment information to help you assess if a particular issue might impact your organization.
- Non-applicable vulnerabilities
  The HCL Commerce team has evaluated the following security vulnerabilities identified within the HCL Commerce stack and determined there is no impact to default deployments.
- Defect fixes
  Review the following tables for more information about recent fixes that are included in update packages for HCL Commerce.

Non-applicable vulnerabilities

The HCL Commerce team has evaluated the following security vulnerabilities identified within the HCL Commerce stack and determined there is no impact to default deployments.

Vulnerabilities are grouped by assessment date.

December 11, 2025


CVE(s)	Applicable containers
CVE-2025-41242, CVE-2025-41249, CVE-2021-41248, CVE-2025-12183, CVE-2025-66566,	Store server (`crs-app`)
CVE-2025-41242, CVE-2025-22235	Approval server (`approval-app`)
CVE-2025-41249, CVE-2025-41242, CVE-2025-66566	Transaction server (`ts-app`)
CVE-2025-41249, CVE-2025-41242, CVE-2019-0193, CVE-2025-54988, CVE-2025-12183, CVE-2025-66566	Utility server (`ts-utils`)
CVE-2025-11226, CVE-2025-22235, CVE-2025-37727, CVE-2025-22233 CVE-2025-12183, CVE-2025-66566	Elasticsearch query server (`query-app`)
CVE-2025-41249, CVE-2025-22235, CVE-2025-41242	Elasticsearch Ingest server (`ingest-app`)
CVE-2025-41249, CVE-2025-41242, CVE-2025-66566	Elasticsearch NiFi server (`nifi-app`)
CVE-2025-11226, CVE-2025-54988, CVE-2025-12183, CVE-2025-66566	Search server (`search-app`)
CVE-2025-22235, CVE-2023-44487, CVE-2025-37727, CVE-2025-11226, CVE-2025-41249, CVE-2025-12183, CVE-2025-66566	Must-Gather server (`mustgather-app`)
CVE-2025-55182, CVE-2025-66478	Next.js store server (`nextjs-app`)
CVE-2025-66566	Cache Manager (`cache-app`)

August 5, 2025


CVE(s)	Applicable containers
CVE-2024-6763, CVE-2025-48924	Search server (`search-app`)
CVE-2025-22233, CVE-2024-29881, CVE-2021-23450, CVE-2020-5258, CVE-2018-15494	Transaction server (`ts-app`)
CVE-2025-22233, CVE-2024-29881, CVE-2025-46392, CVE-2025-48924	Utility server (`ts-utils`)
CVE-2025-22233, CVE-2025-46392, CVE-2025-48924	Store server (`crs-app`)
CVE-2025-22233	Approval-App (`approval-app`)
CVE-2025-31651, CVE-2025-31650, CVE-2025-22233	Must-Gather server (`mustgather-app`)
CVE-2024-12801, CVE-2024-12798, CVE-2023-6378	Elasticsearch Ingest server (`ingest-app`)
CVE-2025-5889	Next.js store server (`nextjs-app`)
CVE-2025-5889	GraphQL server (`graphql-app`)

May 19, 2025


CVE(s)	Applicable containers
CVE-2024-38828, CVE-2024-12798, CVE-2024-12801	Must-Gather server (`mustgather-app`)
CVE-2024-38828,	Store server (`crs-app`)
CVE-2024-38819, CVE-2024-38828, CVE-2024-12801, CVE-2024-12798	Elasticsearch query server (`query-app`)
CVE-2024-21538	GraphQL server (`graphql-app`)
CVE-2024-38828, CVE-2025-22228, CVE-2025-22235	Approval server (`approval-app`)
CVE-2025-24814, CVE-2024-52012	Search server (`search-app`)
CVE-2022-24614, CVE-2024-38828, CVE-2024-53677	Utility server (`ts-utils`)
CVE-2024-38828, CVE-2024-53677	Transaction server (`ts-app`)

December 4, 2024


CVE(s)	Applicable containers
CVE-2024-38816, CVE-2024-38820	Transaction server (`ts-app`)
CVE-2024-45216, CVE-2024-45217, CVE-2018-8026	Search server (`search-app`)
CVE-2024-28863, CVE-2024-43799	GraphQL server (`graphql-app`)
CVE-2016-1000027, CVE-2024-38816, CVE-2024-38819, CVE-2024-38820	Elasticsearch Ingest server (`ingest-app`)
CVE-2016-1000027, CVE-2024-38816, CVE-2024-38819, CVE-2024-38820, CVE-2023-6378, CVE-2024-7254	Elasticsearch query server (`query-app`)
CVE-2024-23444, CVE-2024-38820, CVE-2024-38816, CVE-2024-38819	Must-Gather server (`mustgather-app`)
CVE-2024-38816, CVE-2024-38819, CVE-2024-38820	Store server (`crs-app`)
CVE-2024-38820, CVE-2024-38816, CVE-2024-38819	Approval server (`approval-app`)

August 30, 2024


CVE(s)	Applicable containers
CVE-2024-30171, CVE-2024-30172, CVE-2023-33202, CVE-2024-29857, CVE-2023-33201, CVE-2023-33202, CVE-2024-22262, CVE-2016-1000027, CVE-2020-11023, CVE-2020-7656, CVE-2019-11358, CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2022-31160	Transaction server (`ts-app`)
CVE-2022-1471, CVE-2018-8026	Search server (`search-app`)
CVE-2024-28863	GraphQL server (`graphql-app`)
CVE-2022-1471, CVE-2024-22262, CVE-2016-1000027, CVE-2018-8026, CVE-2020-11023, CVE-2020-7656, CVE-2019-11358	Utility server (`ts-utils`)
CVE-2024-23944, CVE-2018-25031	Elasticsearch Ingest server (`ingest-app`)
CVE-2016-1000027	Elasticsearch NiFi server (`nifi-app`)
CVE-2020-11979, CVE-2020-1945, CVE-2021-36374, CVE-2021-36373, CVE-2024-34750	Must-Gather server (`mustgather-app`)
CVE-2020-11979, CVE-2024-34750, CVE-2020-1945, CVE-2021-36374, CVE-2021-36373	Tooling Web server (`tooling-web`)
CVE-2020-11979, CVE-2024-34750, CVE-2020-1945, CVE-2021-36374, CVE-2021-36373	Store server (`crs-app`)