HCL Commerce 9.1.18.2

HCL Commerce 9.1.18.2 is a cumulative fix pack for HCL Commerce Version 9.1.

HCL Commerce 9.1.18.0 was released on May 20, 2025.
HCL Commerce 9.1.18.1 was released on June 2, 2025.
HCL Commerce 9.1.18.2 was released on August 4, 2025.

Attention:

As of August 28, 2025, the Bitnami public catalog will change to a new repository and move older releases to a legacy repository. This change will affect Bitnami images that Commerce uses. To avoid service interruptions, immediately download your Bitnami images to your own Docker repository, or switch to the Bitnami Legacy Repository. For more information and instructions, see Update Bitnami image references.

9.1.18.2 includes an update to IBM WebSphere Application Server that addresses CVE-2025-36038, as well as updates to other supported software.

If you are upgrading from HCL Commerce 9.1.17.0 or earlier releases, upgrade directly to HCL Commerce 9.1.18.2.

9.1.18.2 includes a fix for an installation issue customers upgrading to 9.1.18.0 encountered if they were using a Commerce schema name other than wcs.

The table below highlights the updated binaries.


Release	Updated binaries
HCL Commerce 9.1.18.2	All binaries were updated for 9.1.18.2 except HCL Commerce Search Bundle V9.1.18.2.
HCL Commerce 9.1.18.1	HCL_Commerce_Enterprise_9.1.18.1_Utility_Server_x86-64.tgz HCL_Commerce_Enterprise_9.1.18.1_Utility_Server_ppc64le.tgz HCL_Commerce_Enterprise_V9.1.18.1_Developer.zip HCL_Commerce_DevOps_9.1.18.1.bundle HCL_Commerce_Helm_Charts_9.1.18.1.bundle
HCL Commerce 9.1.18.0	Full release.

For a full list of the release files and their associated MD5 checksum values, see HCL Commerce eAssemblies.

Security updates

HCL Commerce 9.1.18.2 contains the following security-related fixes:


Affected software	CVE(s)	Vulnerability
WebSphere Application Server and WebSphere Application Server Liberty included in: HCL Commerce 9.1.0.0 - 9.1.18.1	CVE-2025-27907, CVE-2025-25193, CVE-2024-56339, CVE-2025-23184, CVE-2025-33104, CVE-2025-21587, CVE-2025-4447, CVE-2025-36097	Multiple vulnerabilities that affect IBM® WebSphere Application Server and IBM WebSphere Application Server Liberty may affect HCL Commerce
HCL Commerce 9.1.0.0 - 9.1.18.1	CVE-2025-31651, CVE-2025-48976, CVE-2025-48988, CVE-2025-49125 , CVE-2025-46701, CVE-2024-29881	Multiple vulnerabilities in open source components affect HCL Commerce
WebSphere Application Server included in: HCL Commerce 9.1.0.0 - 9.1.18.1	CVE-2025-36038	HCL Commerce which bundles IBM WebSphere Application Server is affected by arbitrary code execution

HCL Commerce 9.1.18.0 contains the following security-related fixes:


Affected software	CVE(s)	Vulnerability
HCL Commerce versions 9.1.0.0 - 9.1.17.0	CVE-2025-27820, CVE-2025-1302, CVE-2024-52798, CVE-2024-21534	Multiple vulnerabilities in open source components affect HCL Commerce
IBM Java SDK included in: HCL Commerce versions 9.1.0.0 - 9.1.17.0	CVE-2024-21235	A vulnerability in IBM Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty and may affect HCL Commerce

Important: Non-applicable vulnerabilities are security vulnerabilities related to HCL Commerce and its companion or co-requisite software that the HCL Commerce team has determined require no action, as they do not impact HCL Commerce deployments.

Important changes

HCL Commerce 9.1.18.2 contains the following important changes to site features and functionality.

Important: Required changes

For customers using Elasticsearch who may have set an attribute (for example, 'womenPantsColor' with values like red, black, grey, etc) as 'not searchable' in the CMC, please note the following change in behavior starting with version 9.1.18.0. Previously, color attributes in Elasticsearch were searchable even if they were not marked as searchable in CMC. However, in version 9.1.18.0 and later, the attribute will no longer be searchable and the system will accurately reflect the 'not searchable' setting. If you wish for these color fields to remain searchable after upgrading, you must ensure the corresponding attribute is marked as 'searchable' in the CMC.
All changes to NiFi behavior in version 9.1.18.0 are described in Release changes to NiFi.

Feature enhancements

The following features have been introduced in this release. Review the following list to ensure that your site is prepared once this update is applied.

Search

Apache Solr Version 7.3 optional upgrade to Version 9.7

The HCL Commerce Search engine has been upgraded from Apache Solr Version 7.3 optional upgrade to Version 9.7, delivering improved performance, stability, and security.

Note:

This is a runtime-only change and does not impact Search Development environment.
It marks a major upgrade to Solr-based search with key infrastructure improvements.

Learn more...

Request Level Trace in NiFi dataflow: Added troubleshooting of Request Level Trace in NiFi dataflow.; Learn more...

New NiFi deployment option: A new NiFi deployment option to allow an indexing model specific workspace to improve NiFi and indexing overall performance.; Learn more...

Deployment

Custom lib folder replacement support for transaction server: 9.1.18 introduces the ts.ear.lib.folder.replace property, which entirely replaces the Transaction server’s lib folder with a custom wcbd package’s contents during ts-app docker image creation, removing outdated/ vulnerable jars. Customer must ensure their package’s lib folder includes all necessary third-party jars, as omitted files will be removed in the runtime. Customers can have multiple JAR versions if required by your implementation but should verify compatibility to avoid runtime conflicts. This feature requires rebuilding the wcbd package with the property set to True.; Learn more...

Store

Progressive Web Application (PWA): You can now access the Ruby store using mobile devices via a Progressive Web Application (PWA). You can create a dedicated smartphone app that appears with its own in icon in the app list and can work even when offline. Ruby on PWA delivers a fast, reliable, and engaging shopping experience.
Learn more...

Video support for product pages: You can add a video alongside product images in the product detail page carousel. Your customers can view the video by clicking on its icon.
Learn more...

Volume pricing

Volume pricing is the price of a product which varies according to the quantity ordered. It displays different prices for specific quantities and creates multiple pricing tiers in the price list.

Learn more...

Schema org metadata: Schema org metadata is added to the Next.js store pages for better search engine optimization (SEO).; Learn more...

Coupon wallet: A coupon wallet is a storage for the coupons a shopper receives. During checkout, shoppers can select coupons from their wallets.; Learn more...

Primary address

The primary address is the default address in the shopper's Next.js store account. It is saved in the shopper's profile for quick access during checkout and order management, and is used for billing, shipping, and communication purposes.

Learn more...

In-progress orders / saved carts

In-progress orders or saved orders allow customers to save their shopping carts for later checkout. They can add items, make modifications, and complete the purchase at their convenience without losing their selections.

Learn more...

Open Graph tags: Open Graph tags function is added to the Next.js store pages for better search engine optimization (SEO).; Learn more...

Buy Online, Pick Up in Store (BOPIS): Buy Online, Pick Up actions are supported through enhancements to the customer's checkout profile. BOPIS encourages customers to visit physical stores to collect their orders. Visiting the store provides opportunities for the customer to make additional purchases and thus boosts in-store sales and customer retention.
Learn more...

Hide all prices for guest users

The Hide Price function restricts guest users from viewing product prices on the Product Listing Page (PLP) and Product Detail Page (PDP). Hide Price encourages customers to create a profile or contact the store for a quote, increasing client engagement and encouraging negotiation for better prices. You can use this feature with both B2C and B2B Next.js stores.

Learn more...

Tools

CKEditor update: The Management Center for HCL Commerce supports rich text editing through CKEditor and TinyMCE. Starting with version 9.1.18, support for CKEditor has been reinstated and it is now the default editor.; Learn more....

Defect fixes

See HCL Commerce 9.1.18.2 in Fixes that are included in HCL Commerce releases for a detailed list of defects that were fixed in this release and its associated fix pack.

Supported software

HCL Commerce 9.1.18.2 has been tested with the following companion software. The icon highlights software updates for version 9.1.18.2.


Commerce	Companion software	Database	Browsers
HCL Commerce Version 9.1.18.0	WebSphere Application Server 9.0.5.23+ IFPH65946 + IFPH65966 WebSphere Application Server V8.5.5 Liberty 25.0.0.3 IBM SDK, Java Technology Edition, Version 8.0.8.40 IBM HTTP Server 9.0.5.23 IBM Installation Manager 1.10.1.1 Elasticsearch 7.17.20 7.17.20 NiFi 1.28.1 NiFi Registry 1.22 CoreNLP 4.5.9 Solr Solr 7.3 Solr 9.7 ZooKeeper 3.9.3 3.8.0 Redis 7.4.2 7.4.2-bv Reddison 3.45.0 Vault 1.14.8 Kubernetes 1.30 to 1.32 Helm 3.17.x	Solr-based search solution IBM Db2 11.5.9 11.5.9 Oracle 18c Oracle 19c Elasticsearch-based search solution IBM Db2 11.5.9 11.5.9 Oracle 19c Approval server PostgreSQL 14.13 PostgreSQL 14.13	Management Center for HCL Commerce Edge 20+ Firefox 39+ Chrome 44+ Safari 10+ React-based storefronts Edge 87+ Firefox 84+ Chrome 87+ Safari 14+ Aurora-based storefronts Internet Explorer 20H2+ Edge 87+ Firefox 84+ Chrome 87+ Safari 14+