HCL Commerce 9.1.18.0
HCL Commerce 9.1.18.2 is a cumulative fix pack for HCL Commerce Version 9.1.
- HCL Commerce 9.1.18.0 was released on May 20, 2025.
- HCL Commerce 9.1.18.1 was released on June 2, 2025.
- HCL Commerce 9.1.18.2 was released on August 4, 2025.
Attention:
|
For a full list of the release files and their associated MD5 checksum values, see HCL Commerce eAssemblies.
Security updates
| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| WebSphere Application Server and WebSphere Application Server Liberty
included in: HCL Commerce 9.1.0.0 - 9.1.18.1 |
CVE-2025-27907, CVE-2025-25193, CVE-2024-56339, CVE-2025-23184, CVE-2025-33104, CVE-2025-21587, CVE-2025-4447, CVE-2025-36097 | Multiple vulnerabilities that affect IBM® WebSphere Application Server and IBM WebSphere Application Server Liberty may affect HCL Commerce |
|
HCL Commerce 9.1.0.0 - 9.1.18.1 |
CVE-2025-31651, CVE-2025-48976, CVE-2025-48988, CVE-2025-49125 , CVE-2025-46701, CVE-2024-29881 | Multiple vulnerabilities in open source components affect HCL Commerce |
| WebSphere Application Server included in: HCL Commerce 9.1.0.0 - 9.1.18.1 |
CVE-2025-36038 | HCL Commerce which bundles IBM WebSphere Application Server is affected by arbitrary code execution |
| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| HCL Commerce versions 9.1.0.0 - 9.1.17.0 | CVE-2025-27820, CVE-2025-1302, CVE-2024-52798, CVE-2024-21534 | Multiple vulnerabilities in open source components affect HCL Commerce |
| IBM Java SDK included in: HCL Commerce versions 9.1.0.0 - 9.1.17.0 |
CVE-2024-21235 | A vulnerability in IBM Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty and may affect HCL Commerce |
Important changes
HCL Commerce 9.1.18.2 contains the following important changes to site features and functionality.
- Update attribute search settings for Elasticsearch
Ensure attributes are searchable in the Management Center (CMC) to maintain search functionality after upgrading. An example of searchable attribute is color, where
womenPantsColorwith color valuesred,black,grayor another colors.If you use Elasticsearch and have attributes set to not searchable in the CMC, the behavior changes in version 9.1.18.0. In previous versions, attributes were searchable regardless of the CMC setting. In version 9.1.18.0 and later, the system honors the not searchable setting.
To keep attribute (such as color fields) searchable after you upgrade, mark the attribute as searchable in the CMC.
All changes to NiFi behavior in version 9.1.18.2 are described in Release changes to NiFi.
Feature enhancements
The following features have been introduced in this release. Review the following list to ensure that your site is prepared once this update is applied.
- Search
-
- Apache Solr Version 7.3 optional upgrade to Version 9.7
- The HCL Commerce Search engine has been upgraded from
Apache Solr Version 7.3 optional upgrade to Version 9.7,
delivering improved performance, stability, and security.Note:
- This is a runtime-only change and does not impact Search Development environment.
- It marks a major upgrade to Solr-based search with key infrastructure improvements.
- Request Level Trace in NiFi dataflow
- Added troubleshooting of Request Level Trace in NiFi dataflow.
- New NiFi deployment option
- A new NiFi deployment option to allow an indexing model specific workspace to improve NiFi and indexing overall performance.
- Upgrade to Open Liberty
- Solr-based Search now runs on Java 17 using the Open Liberty application server, replacing Java 8 with IBM Liberty.
- Deployment
-
- Custom
libfolder replacement support for transaction server - 9.1.18 introduces the
ts.ear.lib.folder.replaceproperty, which entirely replaces the Transaction server’s lib folder with a customwcbdpackage’s contents duringts-appdocker image creation, removing outdated/ vulnerable jars. Customer must ensure their package’s lib folder includes all necessary third-party jars, as omitted files will be removed in the runtime. Customers can have multiple JAR versions if required by your implementation but should verify compatibility to avoid runtime conflicts. This feature requires rebuilding thewcbdpackage with the property set toTrue.
- Custom
- Store
-
- Progressive Web Application (PWA)
- You can now access the Ruby store using mobile devices via a Progressive Web Application (PWA). You can create a dedicated smartphone app that appears with its own in icon in the app list and can work even when offline. Ruby on PWA delivers a fast, reliable, and engaging shopping experience.
- Video support for product pages
- You can add a video alongside product images in the product detail page carousel. Your customers can view the video by clicking on its icon.
- Tools
-
- CKEditor update
- The Management Center for HCL Commerce supports rich text editing through CKEditor and TinyMCE. Starting with version 9.1.18, support for CKEditor has been reinstated and it is now the default editor.
- Updated docker image folder
- Angular build outputs are generated under commerce-tooling/build/tooling-common folder. The previous dist/ output folder is no longer used.
Defect fixes
See HCL Commerce 9.1.18.2 in Fixes that are included in HCL Commerce releases for a detailed list of defects that were fixed in this release and its associated fix pack.
Supported software
HCL Commerce 9.1.18.2 has been tested with the following software. The
icon
highlights software updates for version 9.1.18.2.
- WebSphere Application Server 9.0.5.23+ IFPH65946 + IFPH65966
- WebSphere Application Server V8.5.5 LibertyV8.5.5 Liberty 25.0.0.3
- IBM SDK, Java Technology Edition, Version 8.0.8.40
- IBM HTTP Server 9.0.5.25
- WebSphere Application Server for Solr search.
| Commerce | Software | Database | Browsers |
|---|---|---|---|
| HCL Commerce Version 9.1.18.2 |
|
|
|
7.17.20
7.17.20
Solr 9.7