Skip to main content
CVE-2026-46893 CRITICAL Act Now

Privilege escalation and full takeover of Oracle JD Edwards EnterpriseOne General Ledger 9.2 (E1 Foundation component) is possible by a low-privileged network attacker via SMB, with scope change to other products. No public exploit identified at time of analysis, but the CVSS 9.9 score and 'easily exploitable' vendor characterization make this a high-priority patching target for ERP operators.

Oracle Jd Edwards Enterpriseone General Ledger Privilege Escalation
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46854 CRITICAL Act Now

Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management component) allows a low-privileged attacker with HTTP network access to compromise the platform and impact other Oracle products via scope change. The flaw carries a CVSS 9.9 rating reflecting low attack complexity and broad confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because Enterprise Manager often holds privileged credentials for managed Oracle databases and middleware, successful exploitation effectively pivots the attacker into the wider Oracle estate.

Oracle Authentication Bypass Oracle Enterprise Manager Base Platform
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46850 CRITICAL Act Now

Privilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowing a low-privileged remote attacker with HTTP network access to fully compromise the Shell with confidentiality, integrity, and availability impact. Because the CVSS vector indicates a scope change (S:C), successful exploitation propagates impact beyond the Shell itself into adjacent components the extension connects to, such as MySQL servers managed through the VS Code workflow. No public exploit identified at time of analysis, but the 9.9 base score and 'easily exploitable' wording from Oracle warrant urgent remediation.

Oracle Mysql Shell Code Injection RCE
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46832 CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework component, where a low-privileged authenticated attacker with HTTPS access can fully compromise the platform and impact adjacent products via a scope change. The flaw carries a CVSS 3.1 score of 9.9 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Oracle disclosed this in the June 2026 Critical Patch Update advisory (cspujun2026), and exploitation is rated low complexity.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-35281 CRITICAL Act Now

Account takeover of Oracle WebCenter Enterprise Capture (12.2.1.4.0 and 14.1.2.0.0) is achievable by a low-privileged attacker with network access to the T3 or IIOP protocols. The CVSS 9.9 score reflects a scope-changing flaw in the Client Bundle component that can pivot beyond the originally compromised product, with full impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis, but Oracle's own CPU advisory confirms the issue and the low attack complexity makes it a high-priority patching target.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46901 CRITICAL Act Now

Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker to read, modify, or delete all framework-accessible data and partially disrupt service via HTTP. Because CVSS scope is Changed, exploitation impacts additional Oracle E-Business Suite products beyond the Framework itself, driving the 9.9 base score. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Denial Of Service Oracle Oracle Enterprise Command Center Framework
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46897 CRITICAL Act Now

Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker over HTTP to gain unauthorized read, modify, and delete access to all framework-accessible data, with scope change extending impact to other Oracle E-Business Suite products. The CVSS 9.9 score reflects low attack complexity, low privileges required, and the scope change that crosses security boundaries into adjacent products. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Denial Of Service Oracle Oracle Enterprise Command Center Framework
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-49774 CRITICAL Act Now

Remote code execution in the Filipe Nasc RD Station WordPress plugin (versions up to and including 5.6.0) allows authenticated attackers to inject and execute arbitrary PHP code through an improper code-generation control flaw. The issue carries a critical CVSS 3.1 score of 9.9 with a scope-changing impact, and no public exploit identified at time of analysis, though Patchstack has catalogued it as a Remote Code Execution vulnerability in their WordPress vulnerability database.

Code Injection RCE Rd Station
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-48781 CRITICAL PATCH Act Now

Privilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated user to forge session JWTs and impersonate arbitrary organizations. The Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware blindly trusted every claim without re-resolving the user from the database. No public exploit identified at time of analysis, but the fix commit is public and the root cause is trivially reproducible from the patch diff.

Information Disclosure Postiz App
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-35278 CRITICAL Act Now

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor component, allowing unauthenticated network attackers to fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 9.8 critical and describes it as easily exploitable over HTTP, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-46902 CRITICAL Act Now

Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Oracle E-Business Suite, is possible over HTTPS with low attack complexity. The flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8) on the Core component and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the trivial exploitability profile makes this a high-priority patching target.

Oracle Oracle Enterprise Command Center Framework Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46860 CRITICAL Act Now

Remote takeover of Oracle MySQL Router 9.0.0 through 9.7.0 is possible by unauthenticated attackers reaching the Router over HTTP, per Oracle's Critical Patch Update advisory (CPU June 2026). Oracle scores this 9.8 CVSS 3.1 with full confidentiality, integrity, and availability impact, and rates exploitation as easy. No public exploit identified at time of analysis and the CVE is not present in CISA KEV, but the network-reachable, no-auth, low-complexity profile makes it a high-priority patch.

Oracle Mysql Router Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46859 CRITICAL Act Now

Remote takeover of Oracle Agile PLM 9.3.6 is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. The Security component flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Tags indicate information disclosure as a key consequence, though the vector permits complete product compromise.

Oracle Oracle Agile Plm Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46857 CRITICAL Act Now

Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network attackers to fully compromise the Oracle Management Service via HTTP. The flaw is rated CVSS 9.8 with low attack complexity and no user interaction, enabling complete takeover of the management platform. No public exploit identified at time of analysis, but the trivial exploitation profile and the platform's privileged role across managed Oracle estates make it a high-priority patching target.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46845 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is possible via the Security Framework component, allowing attackers to fully compromise the portal over HTTPS without credentials or user interaction. Oracle rates this 9.8 CVSS (AV:N/AC:L/PR:N/UI:N) and describes exploitation as 'easily exploitable', though there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46813 CRITICAL Act Now

Unauthenticated remote takeover of Oracle WebCenter Content (Content Server component) is possible in supported versions 12.2.1.4.0 and 14.1.2.0.0 via a network-reachable HTTP attack path. The flaw carries a CVSS 9.8 with full confidentiality, integrity, and availability impact, and Oracle describes exploitation as 'easily exploitable.' No public exploit identified at time of analysis, but the combination of unauthenticated network reach and full compromise warrants prioritized patching of any internet-exposed Content Server.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46807 CRITICAL Act Now

Remote unauthenticated takeover of Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the OIM Legacy UI component when reachable over T3 or IIOP protocols, per Oracle's June 2026 Critical Patch Update advisory. The flaw scores CVSS 9.8 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because Identity Manager governs enterprise identity and access provisioning, successful exploitation effectively yields a tier-zero compromise of the IAM control plane.

Oracle Identity Manager Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46801 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with the vendor and CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) characterizing the flaw as easily exploitable and yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, the issue is not on the CISA KEV list, and no EPSS score was provided, but the 9.8 base score plus Oracle's 'takeover' wording make this a top-tier patching priority on the Oracle Critical Patch Update cycle.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46797 CRITICAL Act Now

Unauthenticated remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the content management platform. Oracle's June 2026 Critical Patch Update advisory rates this 9.8 CVSS and describes it as easily exploitable with no authentication or user interaction. No public exploit identified at time of analysis, but the unauthenticated network vector and high impact place this among the highest-priority items in the CPU.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46783 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Content: Imaging (versions 12.2.1.4.0 and 14.1.2.0.0) is possible via HTTP, per Oracle's June 2026 Critical Patch Update. With a CVSS 3.1 base score of 9.8 and AV:N/AC:L/PR:N/UI:N, the flaw in the Core component enables full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46774 CRITICAL Act Now

Remote takeover of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 is possible via the OUD Core component's RMI interface, allowing unauthenticated network attackers to fully compromise the LDAP directory service. Oracle rates this CVSS 9.8 with confidentiality, integrity, and availability impacts; no public exploit identified at time of analysis and it is not currently listed in CISA KEV, but the RMI attack surface and trivial complexity make it a high-priority patching target.

Oracle Oracle Unified Directory Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46773 CRITICAL Act Now

Unauthenticated LDAP-based takeover of Oracle Unified Directory affects supported versions 12.2.1.4.0 and 14.1.2.1.0 within Oracle Fusion Middleware, allowing a remote attacker with network reachability to the LDAP service to fully compromise the directory server. The flaw carries a CVSS 3.1 base score of 9.8 with high confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because directory services underpin enterprise identity, successful exploitation cascades into authentication and authorization decisions for every downstream application that relies on OUD.

Oracle Oracle Unified Directory Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46766 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP requests to the Content Server component, per Oracle's June 2026 CPU advisory. The CVSS 9.8 score reflects full confidentiality, integrity, and availability impact with no authentication required. Status is no public exploit identified at time of analysis, but trivial exploitability against an internet-facing enterprise content platform makes this a priority patching candidate.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35319 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible via the Content Server component over HTTP, scored CVSS 9.8 by Oracle. No public exploit identified at time of analysis, but the low attack complexity and lack of authentication requirement make this a high-priority patch target for any Oracle Fusion Middleware environment exposing WebCenter Content.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35312 CRITICAL Act Now

Remote unauthenticated takeover of Oracle Virtual Directory 12.2.1.4.0 and 14.1.2.0.0 is possible via crafted LDAP traffic, yielding full confidentiality, integrity, and availability impact (CVSS 9.8). The flaw lives in the Virtual Directory Server component of Oracle Fusion Middleware and is described by Oracle as easily exploitable over the network with no authentication or user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Virtual Directory Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35310 CRITICAL Act Now

Remote takeover of Oracle Coherence (Fusion Middleware component) is possible by unauthenticated network attackers reaching the HTTP interface, per Oracle's June 2026 Critical Patch Update. Affected versions span 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0, with a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network reach make this a top-priority patch for any exposed Coherence cluster.

Oracle Oracle Coherence Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35309 CRITICAL Act Now

Remote takeover of Oracle Coherence is possible by unauthenticated attackers with HTTP network access to affected Fusion Middleware deployments running versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0. The flaw resides in the Centralized Third Party Jars component and carries a critical 9.8 CVSS score with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the trivial attack profile and Oracle's CPU disclosure pattern make weaponization likely.

Oracle Oracle Coherence Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35304 CRITICAL Act Now

Remote unauthenticated takeover of Oracle Coherence (Oracle Fusion Middleware) is possible over HTTPS, affecting supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and at the time of analysis no public exploit identified at time of analysis.

Oracle Oracle Coherence Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35300 CRITICAL Act Now

Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by unauthenticated attackers with TCP network access to the Core component. Oracle rates this 9.8 with full confidentiality, integrity, and availability impact, and characterizes it as 'easily exploitable,' though no public exploit identified at time of analysis. The flaw is disclosed via the Oracle Critical Patch Update for June 2026 and currently shows no CISA KEV listing or EPSS data.

Oracle Weblogic Server Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35296 CRITICAL Act Now

Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated attackers over HTTP, with full compromise of confidentiality, integrity, and availability per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects network-reachable, low-complexity exploitation with no user interaction, placing this among the most severe Fusion Middleware issues in the cycle. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35293 CRITICAL Act Now

Remote code execution and full product takeover affects Oracle WebCenter Sites 14.1.2.0.0 within Oracle Fusion Middleware, enabling unauthenticated attackers to compromise the platform over HTTP. Oracle's June 2026 Critical Patch Update rates this 9.8 (CVSS 3.1) with confidentiality, integrity, and availability all marked High, and Oracle describes it as easily exploitable. No public exploit identified at time of analysis, and CWE classification is not provided in the supplied data.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35286 CRITICAL Act Now

Remote takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to fully compromise the Content Server component via HTTP, with no public exploit identified at time of analysis. The CVSS 9.8 score reflects complete confidentiality, integrity, and availability impact, and Oracle disclosed the issue in its June 2026 Critical Patch Update. Organizations running Fusion Middleware-based content management should treat this as a top-priority patching item given the trivial attack complexity.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-40750 CRITICAL Act Now

Arbitrary file upload in the Kids Online Store WordPress theme (versions up to and including 0.8.9) by themagnifico52 allows authenticated attackers to upload web shells and achieve remote code execution on the underlying server. The flaw is reported by Patchstack and carries a CVSS 3.1 score of 9.9 due to the scope-changing impact on the WordPress host. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

File Upload Kids Online Store
NVD VulDB
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-49980 CRITICAL PATCH GHSA Act Now

Unauthenticated remote command execution in rclone's remote control daemon (rcd) affects versions 1.55.0 through 1.74.2 when started with `--rc-serve` and without HTTP authentication. A single GET or HEAD request to `/[remote:path]/object` triggers backend initialization with attacker-controlled inline remote options, executing commands as the rclone process user. No public exploit identified at time of analysis, though the GHSA advisory describes the technique in detail and notes the issue bypasses the earlier CVE-2026-41179 fix.

Authentication Bypass Mozilla
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46919 CRITICAL Act Now

Remote takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) allows unauthenticated network attackers to fully compromise the Siebel Cloud Manager component via HTTP. The flaw carries a CVSS 9.8 with low attack complexity and no privileges or user interaction required, putting confidentiality, integrity, and availability at high risk. No public exploit identified at time of analysis, but Oracle's own advisory characterizes exploitation as easy.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46909 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers via HTTP, per Oracle's June 2026 Critical Patch Update. The flaw resides in the Enterprise Infrastructure Security component and carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but the trivial exploitation profile (AV:N/AC:L/PR:N/UI:N) against an internet-reachable ERP tier makes this a high-priority patching target.

Oracle Authentication Bypass Jd Edwards Enterpriseone Tools
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46905 CRITICAL Act Now

Remote unauthenticated takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible via the Web Runtime Security component over HTTP, with CVSS 9.8 indicating full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network vector make this a high-priority patching target for any organization running this ERP suite. Oracle disclosed it in the June 2026 Critical Patch Update (CPU).

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46904 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET network service, yielding full confidentiality, integrity, and availability compromise of the platform. Oracle rates the issue CVSS 9.8 and describes it as easily exploitable, though no public exploit identified at time of analysis and it is not listed in CISA KEV.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46890 CRITICAL Act Now

Remote takeover of Oracle Siebel CRM's Siebel Apps - Marketing component (versions 17.0 through 26.5) is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. With a 9.8 CVSS base score and full confidentiality/integrity/availability impact, this represents a top-priority Oracle CPU finding, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46889 CRITICAL Act Now

Unauthenticated remote takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the marketing component. Oracle's CVSS 3.1 base score of 9.8 reflects trivial network exploitability with no authentication or user interaction, and no public exploit identified at time of analysis. The flaw was disclosed in Oracle's Critical Patch Update cycle and tracked in ENISA's EUVD as EUVD-2026-37381.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46887 CRITICAL Act Now

Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is achievable over HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle's CVSS 9.8 rating reflects easy exploitation with no authentication or user interaction required, though no public exploit is identified at time of analysis and the CVE is not currently listed in CISA KEV.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46884 CRITICAL Act Now

Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible over HTTP, requiring no privileges or user interaction. Successful exploitation yields full compromise of the Marketing component with high confidentiality, integrity, and availability impact (CVSS 9.8). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46883 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 score reflects full compromise of confidentiality, integrity, and availability via a network-reachable attack path with no user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46882 CRITICAL Act Now

Unauthenticated remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the JDENET network protocol, granting full confidentiality, integrity, and availability impact on the ERP middleware. Oracle rates this CVSS 9.8 and describes it as easily exploitable, but at the time of analysis there is no public exploit identified and no CISA KEV listing. Defenders running JD Edwards ERP workloads should treat this as a top-priority patch from the Oracle June 2026 Critical Patch Update.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46881 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible by unauthenticated network attackers reaching the JDENET communications service, with no public exploit identified at time of analysis. The flaw resides in the Enterprise Infrastructure Security component and yields full confidentiality, integrity, and availability impact (CVSS 9.8), making any internet- or partner-network-exposed JDENET listener an urgent patching priority.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46880 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication service over the network. The flaw is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46879 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) and Oracle's own 'easily exploitable' wording indicate trivial exploitation, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not yet listed in CISA KEV.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46878 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers reaching the JDENET service. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. No EPSS or CISA KEV signal is provided, but the combination of zero prerequisites and full impact warrants priority patching of internet-exposed JDE deployments.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-0126 CRITICAL Act Now

Remote code execution in the WC-Radio component on Google Android (Pixel) devices allows network-adjacent attackers to corrupt memory via an out-of-bounds write with no authentication or user interaction. The flaw carries a CVSS 9.8 rating and is addressed in the Pixel security bulletin dated 2026-06-01; no public exploit identified at time of analysis and EPSS is low at 0.15%.

RCE Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-12293 CRITICAL PATCH Act Now

Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.

Mozilla Information Disclosure Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
Prev Page 2 of 13 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy