Skip to main content
CVE-2026-54157 CRITICAL POC PATCH GHSA Act Now

Unauthenticated server-side request forgery in LobeHub's `/webapi/proxy` endpoint (versions <= 2.1.56) allows any remote attacker to proxy arbitrary HTTP requests through LobeHub's infrastructure and inject attacker-controlled `Set-Cookie` headers onto the `lobehub.com` domain. The flaw stems from the route handler omitting the `checkAuth()` wrapper that protects every other webapi route, enabling SSRF, infrastructure reconnaissance against Vercel internals, and a CSRF-to-session-fixation chain against Clerk auth cookies. Publicly available exploit code exists (working curl PoCs and a CSRF HTML PoC are included in the GitHub Security Advisory GHSA-xmwj-c75x-6346); no public exploit identified at time of analysis in CISA KEV.

CSRF SSRF
NVD GitHub
CVSS 3.1
9.0
EPSS
1.8%
CVE-2026-46331 HIGH POC PATCH This Week

Local privilege escalation potential in the Linux kernel's net/sched traffic-control subsystem arises from a partial copy-on-write (COW) miss in the pedit action (tcf_pedit_act), where skb_ensure_writable() is sized using tcfp_off_max_hint before the per-key loop and fails to account for the runtime header offset added by typed keys, leaving part of the write region un-COW'd and causing page cache corruption. A local low-privileged attacker able to install tc pedit rules (CAP_NET_ADMIN, obtainable in user namespaces on many distros) can corrupt shared page-cache memory, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS is low at 0.14% (4th percentile) and the issue is not on CISA KEV.

Linux Buffer Overflow Integer Overflow
NVD VulDB GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-48055 CRITICAL PATCH Act Now

Arbitrary file write in Streambert Electron desktop app (versions ≤2.4.0) allows remote attackers to drop files anywhere the app process can write by serving a malicious subtitle ZIP archive. The subtitle extraction routine concatenates raw archive entry names to the destination path without sanitization, enabling classic Zip Slip path traversal that can be escalated to code execution by overwriting startup or configuration files. No public exploit identified at time of analysis, but the upstream advisory (GHSA-3q2x-3q9p-qwfc) and fix in v2.5.0 confirm the issue.

Path Traversal Streambert
NVD GitHub
CVSS 3.1
10.0
EPSS
0.8%
CVE-2026-46846 CRITICAL Act Now

Complete takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by unauthenticated remote attackers via crafted HTTP requests to the Security Framework component, with CVSS 10.0 reflecting a scope change that lets the compromise extend beyond WebCenter into adjacent Fusion Middleware products. No public exploit identified at time of analysis, but the combination of network attack vector, low complexity, no privileges, no user interaction, and Oracle's own 'easily exploitable' wording makes this a top-priority patching event. Vendor-released patch is available via the Oracle Critical Patch Update of June 2026 (CPUJUN2026).

Oracle Oracle Webcenter Portal Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-46803 CRITICAL Act Now

Unauthenticated remote takeover of Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP via a flaw in the Security Framework component, with a scope change extending impact to additional Oracle Fusion Middleware products. The maximum CVSS 3.1 score of 10.0 reflects network-reachable exploitation with no authentication or user interaction and full confidentiality, integrity, and availability loss; no public exploit identified at time of analysis, but the trivial attack profile makes this a top-priority patch.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-46781 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible via the RMI-based Client Bundle component, with a maximum CVSS 3.1 score of 10.0 due to a scope change that impacts additional products. Oracle's June 2026 CPU advisory is the authoritative source, and no public exploit identified at time of analysis, though the AV:N/AC:L/PR:N/UI:N profile makes weaponization plausible once technical details emerge.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-46778 CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible via the Client Bundle component over RMI, allowing unauthenticated network attackers to fully compromise the product and pivot into other Fusion Middleware components due to a CVSS scope change. With a maximum 10.0 CVSS score, low attack complexity, and no privileges or user interaction required, this is a top-priority issue, though no public exploit identified at time of analysis. Oracle disclosed the issue in its June 2026 Critical Patch Update.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-35308 CRITICAL Act Now

Remote takeover of Oracle Coherence (Fusion Middleware) via the Centralized Third Party Jars component allows an unauthenticated network attacker over HTTP to fully compromise affected deployments, with scope change permitting impact on additional connected products. Supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 carry a maximum CVSS 3.1 base score of 10.0 across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Coherence Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-35307 CRITICAL Act Now

Remote takeover of Oracle Coherence is possible via HTTP by an unauthenticated network attacker, affecting Oracle Fusion Middleware versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries the maximum CVSS 3.1 base score of 10.0 with scope change, meaning successful exploitation can pivot impact into other products that rely on the Coherence cluster. No public exploit identified at time of analysis, but the trivial attack complexity and Oracle's critical scoring make this a top-priority patch item.

Oracle Oracle Coherence Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-35301 CRITICAL Act Now

Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an unauthenticated network attacker to fully compromise the server with a scope change that impacts adjacent products. The CVSS 3.1 base score of 10.0 reflects the worst-case combination of network reachability, low complexity, no privileges, and full CIA impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-35292 CRITICAL Act Now

Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network attackers to fully compromise the server over HTTP with no user interaction, earning the maximum CVSS 10.0 due to a scope change that can impact adjacent products. Oracle's June 2026 Critical Patch Update is the sole intelligence source; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-53753 CRITICAL PATCH GHSA Act Now

Unauthenticated remote code execution in Crawl4AI's Docker API (versions <= 0.8.6) lets attackers escape the computed-fields expression sandbox and run arbitrary OS commands inside the container. The AST validator behind `_safe_eval_expression()` only blocked attribute names beginning with an underscore, so a crafted `JsonCssExtractionStrategy` schema can reach generator/frame attributes (`gi_frame`, `f_back`, `f_builtins`) to recover the real `__import__` and execute code. Because JWT auth is disabled by default, a single `POST /crawl` request suffices; publicly available exploit code exists (SSVC: PoC) and the vendor rates it CVSS 10.0, though EPSS is low at 0.45%.

Python Code Injection RCE Docker
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-46978 CRITICAL NEWS Act Now

Unauthenticated remote compromise of Oracle Solaris 11.4 Remote Administration Daemon (RAD) allows network attackers to read, modify, create, or delete critical data with scope change impacting adjacent products. The CVSS 3.1 base score of 10.0 with AV:N/AC:L/PR:N/UI:N reflects trivial network exploitability over HTTPS without authentication, and no public exploit identified at time of analysis. The scope-change designation indicates that successful exploitation breaches the security authority of RAD and propagates impact to other Solaris-managed components.

Authentication Bypass Oracle Oracle Solaris
NVD VulDB
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-25470 CRITICAL Act Now

Remote code execution in the ACPT (Pro) - Custom Post Types Plugin for WordPress (versions through 2.0.47) allows unauthenticated remote attackers to inject and execute arbitrary code on the underlying WordPress host. The CVSS 3.1 base score of 10.0 with a scope change (S:C) indicates the flaw escapes the plugin sandbox and compromises the entire WordPress installation. No public exploit has been identified at time of analysis, but the trivial attack profile (network, no auth, no UI) makes this a high-priority patching target.

Code Injection WordPress RCE Acpt Pro Custom Post Types Plugin For Wordpress
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-46800 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with a maximum CVSS 3.1 base score of 10.0 and a scope change indicating impact beyond the WebCenter Sites boundary. Oracle's June 2026 Critical Patch Update advisory (cspujun2026) lists the issue as easily exploitable with no privileges or user interaction required. There is no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-46798 CRITICAL Act Now

Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated network attackers over HTTP, with a CVSS 3.1 base score of 10.0 reflecting a scope change that can impact adjacent products. No public exploit identified at time of analysis, but Oracle has rated the issue as easily exploitable and released a fix in the June 2026 Critical Patch Update.

Information Disclosure Oracle Oracle Webcenter Sites
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-46918 CRITICAL Act Now

Account takeover in Oracle E-Business Suite's Process Manufacturing Product Development component (versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the module via HTTP and pivot into other Oracle products through a CVSS scope change. Oracle rates the issue 9.9/10 and describes it as easily exploitable; no public exploit identified at time of analysis and the CVE is not on the CISA KEV list.

Oracle Oracle Process Manufacturing Product Development Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46900 CRITICAL Act Now

Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker over HTTPS to fully compromise the product and pivot into other E-Business Suite components via a CVSS scope change. Oracle has issued a fix in its June 2026 Critical Patch Update; no public exploit identified at time of analysis and EPSS/KEV signals were not provided.

Oracle Oracle Enterprise Command Center Framework Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46895 CRITICAL Act Now

Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievable by a low-privileged remote attacker over HTTP, with a scope change that lets the compromise impact other Oracle E-Business Suite components. The flaw carries a CVSS 3.1 base score of 9.9 (C:H/I:H/A:H, S:C). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Enterprise Command Center Framework Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46855 CRITICAL Act Now

Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker via HTTPS, exploiting the Metadata Plugin component. The scope-changed flaw (CVSS 9.9) lets an attacker pivot to impact additional Oracle products beyond EM itself, and no public exploit identified at time of analysis.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46852 CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata Plugin component, allowing a low-privileged remote attacker over HTTPS to fully compromise the platform with a scope change that impacts additional products. The CVSS 3.1 base score of 9.9 reflects the broad confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Enterprise Manager Base Platform Privilege Escalation
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46847 CRITICAL Act Now

Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 (Fusion Middleware, Runtime Tools component) allows a low-privileged attacker with HTTPS network access to fully compromise the portal and, due to a scope change, impact additional downstream products. Oracle rates this 9.9 critical and the issue is described as easily exploitable; no public exploit identified at time of analysis and it is not currently listed in CISA KEV. The combination of low privilege requirement, network vector, and scope change makes any authenticated WebCenter user a credible threat for full takeover.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46844 CRITICAL Act Now

Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows an authenticated low-privileged attacker to fully compromise the Portal over HTTPS and, due to a scope change, impact additional downstream products. Oracle rates the issue CVSS 9.9 and shipped fixes in the June 2026 Critical Patch Update; no public exploit identified at time of analysis, but the 'easily exploitable' wording and broad scope make this a high-priority Oracle CPU item.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46838 CRITICAL Act Now

Account/portal takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker to compromise the product over HTTPS with low attack complexity, and because the scope changes the impact extends beyond WebCenter Portal itself to additional integrated Fusion Middleware components. The flaw, disclosed in Oracle's June 2026 Critical Patch Update, carries a CVSS 3.1 base score of 9.9 with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46814 CRITICAL Act Now

Takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged remote attacker over HTTP, with a scope-changed impact reaching adjacent Oracle Fusion Middleware products (CVSS 9.9). The flaw resides in the Security Framework component and was disclosed by Oracle in its June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the low attack complexity and minimal privilege requirement make this a high-priority patching target.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46802 CRITICAL Act Now

Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged attacker with HTTP network access to fully compromise the Security Framework component and pivot into adjacent products via a scope change. The flaw carries a CVSS 3.1 base score of 9.9 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update, but no CISA KEV listing or EPSS data was provided in the input.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46794 CRITICAL Act Now

Privilege escalation to full takeover in Oracle Identity Manager Connector (Fusion Middleware) allows a low-privileged remote attacker with SSH network access to compromise the Generic Unix Connector and pivot into additional Fusion Middleware components via a CVSS scope change. Versions 12.2.1.4.0 and 14.1.2.1.0 are affected, with Oracle rating the issue 9.9 due to high confidentiality, integrity, and availability impact across product boundaries. No public exploit identified at time of analysis, but the AV:N/AC:L profile and SSH-reachable attack surface make this a high-priority Oracle CPU item.

Oracle Identity Manager Connector Privilege Escalation
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46793 CRITICAL Act Now

Takeover of Oracle Identity Manager Connector (Fusion Middleware) is achievable by a low-privileged remote attacker over HTTP, with a scope-changing impact that extends compromise to additional Oracle products. Oracle rates this 9.9 CVSS 3.1 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Affected releases are 12.2.1.4.0 and 14.1.2.1.0, with the fix delivered in Oracle's June 2026 Critical Patch Update.

Oracle Identity Manager Connector Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46792 CRITICAL Act Now

Full takeover of Oracle Identity Manager Connector (versions 12.2.1.4.0 and 14.1.2.1.0) is achievable by a low-privileged remote attacker via HTTP against the Generic Unix Connector component, with scope-changed impact reaching additional Oracle Fusion Middleware products. Oracle rates this CVSS 9.9 due to high confidentiality, integrity, and availability impact combined with low attack complexity and minimal privileges. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Identity Manager Connector Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46782 CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible by a low-privileged attacker with HTTP access to the Client Bundle component, with scope change extending impact to other Oracle Fusion Middleware products. CVSS 9.9 reflects easy exploitation with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46779 CRITICAL Act Now

Takeover of Oracle WebCenter Enterprise Capture is achievable by a low-privileged remote attacker via the T3 protocol in the Client Bundle component, affecting versions 12.2.1.4.0 and 14.1.2.0.0. The flaw carries a CVSS 3.1 base score of 9.9 with a scope change, meaning successful exploitation can significantly impact additional adjacent products beyond the vulnerable component. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46767 CRITICAL Act Now

Privilege escalation to full takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker with HTTP network access to compromise the Composer component and, due to a CVSS scope change, impact additional downstream products. The flaw carries a CVSS 3.1 base score of 9.9 and is marked easily exploitable by Oracle, though no public exploit identified at time of analysis. EPSS data and CISA KEV status are not provided in the available intelligence.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46765 CRITICAL Act Now

Privilege escalation and full takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged remote attacker through the Composer component, with a scope change that lets the impact reach additional products in the Fusion Middleware stack. Oracle rates the flaw 9.9 CVSS due to the combination of low attack complexity, low privilege requirement, and full CIA impact, and no public exploit has been identified at time of analysis.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35323 CRITICAL Act Now

Takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible by a low-privileged attacker sending HTTP requests to the Content Server component, with a scope change that can significantly impact additional products. Oracle rates this 9.9 CVSS and describes it as easily exploitable, and no public exploit identified at time of analysis. Reported in the Oracle Critical Patch Update for June 2026, the flaw enables full compromise of the WebCenter Content instance and any in-scope downstream systems.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35321 CRITICAL Act Now

Takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged remote attacker over HTTP, with scope change enabling impact on adjacent products in the Fusion Middleware stack. The flaw carries a CVSS 3.1 base score of 9.9 and is described by Oracle as easily exploitable, though no public exploit identified at time of analysis. Authenticated access to the Content Server is the only meaningful barrier, making this a high-priority patch item for enterprises using WebCenter Content for document management.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35316 CRITICAL Act Now

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 (Content Server component) allows a low-privileged remote attacker to compromise the application over HTTP and pivot to other products via a scope change. The CVSS 3.1 base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting easy exploitation with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35313 CRITICAL Act Now

Privilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the identity broker via the Authentication Engine component, with a CVSS 9.9 score reflecting a scope-changing impact on downstream protected applications. No public exploit identified at time of analysis, but Oracle's June 2026 Critical Patch Update flags it as easily exploitable over HTTP, making it a high-priority patch for any environment using OAM for SSO/federation.

Oracle Oracle Access Manager Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35294 CRITICAL Act Now

Account takeover in Oracle Identity Manager Connector (Fusion Middleware, Mainframe Connectors component) versions 12.2.1.4.0 and 14.1.2.1.0 allows an authenticated low-privileged attacker to fully compromise the connector over HTTP and pivot to other products via a CVSS scope change. The flaw carries a 9.9 CVSS 3.1 score with high confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, and CISA KEV does not list it.

Information Disclosure Oracle Identity Manager Connector
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35285 CRITICAL Act Now

Authenticated takeover of Oracle WebCenter Enterprise Capture (12.2.1.4.0 and 14.1.2.0.0) is achievable by a low-privileged remote attacker reaching the server via T3 or IIOP protocols, with scope change allowing impact on adjacent products in the Fusion Middleware stack. The CVSS 3.1 base score of 9.9 reflects full confidentiality, integrity, and availability compromise with low attack complexity, and no public exploit identified at time of analysis.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35284 CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible by a low-privileged attacker who can reach the server's T3 or IIOP listener, with a scope change extending impact to additional Fusion Middleware components. Oracle rates the flaw CVSS 9.9 with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis and the CVE is not currently in CISA KEV.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35283 CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible via the Client Bundle component, where a low-privileged attacker with T3/IIOP network access can fully compromise the product with a scope-changed impact on adjacent Fusion Middleware components. The 9.9 CVSS score reflects easy exploitability with high confidentiality, integrity, and availability impact, though there is no public exploit identified at time of analysis. Defenders should treat this as a high-priority patching item given the trivial complexity and broad WebLogic protocol exposure typical of Oracle Fusion Middleware deployments.

Oracle Authentication Bypass Oracle Webcenter Enterprise Capture
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35282 CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible by a low-privileged attacker reaching the T3 or IIOP protocol endpoints, with a scope change that lets the attack significantly impact additional adjacent products. With a CVSS 3.1 score of 9.9 and high confidentiality, integrity, and availability impact, the flaw resides in the Client Bundle component of Oracle Fusion Middleware. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35280 CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged attacker reaching the T3 or IIOP listeners, with a scope change that lets the compromise propagate to other Fusion Middleware components. CVSS 3.1 is rated 9.9 due to high confidentiality, integrity, and availability impact across a changed scope, and no public exploit identified at time of analysis. The flaw resides in the Client Bundle component of this document-capture product and is fixed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35268 CRITICAL Act Now

Account takeover in Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 (Fusion Middleware Core component) allows a low-privileged remote attacker to fully compromise the product via T3 or IIOP protocols, with scope change extending impact to other Fusion Middleware components. The CVSS 9.9 score reflects high confidentiality, integrity, and availability impact combined with low attack complexity. No public exploit identified at time of analysis, but Identity Manager's role as a central identity authority makes this a critical patching priority.

Oracle Identity Manager Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35263 CRITICAL Act Now

Remote takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Fusion Middleware, Core component) is achievable by a low-privileged attacker over HTTP, with a CVSS 3.1 score of 9.9 driven by a scope change that lets the impact spread beyond WebLogic itself. Oracle has issued the fix in the June 2026 Critical Patch Update (cspujun2026), and there is no public exploit identified at time of analysis. Authenticated but low-effort exploitation combined with full confidentiality, integrity and availability impact makes this a top-priority patching item for any Oracle middleware estate.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46964 CRITICAL Act Now

Privilege escalation and full takeover of Oracle Universal Work Queue (component: Work Provider Site Level Administration) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker over HTTP to compromise the application with scope change extending impact to additional products. The CVSS 3.1 base score is 9.9 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis.

Oracle Oracle Universal Work Queue Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46963 CRITICAL Act Now

Account takeover in Oracle Universal Work Queue (Oracle E-Business Suite 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the component via HTTP, with a scope change that can significantly impact other connected products. The CVSS 3.1 base score of 9.9 reflects high confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis. Authenticated EBS users - including low-tier business users - should be treated as potential threat actors against this surface.

Oracle Oracle Universal Work Queue Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46933 CRITICAL Act Now

Privilege escalation and full takeover of Oracle Applications Manager (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker over HTTP to fully compromise the management product and, because of the scope change, significantly impact additional integrated products. Oracle rates the issue CVSS 9.9 with confidentiality, integrity, and availability impacts; no public exploit identified at time of analysis. Listed in the ENISA EUVD as EUVD-2026-37249 and addressed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Applications Manager Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46908 CRITICAL Act Now

Takeover of Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 is possible by a low-privileged remote attacker over HTTP, with scope-changing impact on adjacent products. The CVSS 3.1 base score of 9.9 reflects full confidentiality, integrity, and availability compromise plus a scope change (S:C), and no public exploit identified at time of analysis. Oracle disclosed the issue in its June 2026 Critical Patch Update (CPU).

Oracle Jd Edwards Enterpriseone Accounts Payable Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46907 CRITICAL Act Now

Takeover of Oracle JD Edwards EnterpriseOne Order Promising 9.2 is possible by a low-privileged remote attacker through the Order Promising Integration component over HTTP. The flaw produces a CVSS 3.1 scope change, meaning successful exploitation can significantly impact other interconnected products in the JD Edwards ecosystem. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Jd Edwards Enterpriseone Order Promising Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.4%
Page 1 of 13 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy