Privilege escalation and full takeover of Oracle JD Edwards EnterpriseOne General Ledger 9.2 (E1 Foundation component) is possible by a low-privileged network attacker via SMB, with scope change to other products. No public exploit identified at time of analysis, but the CVSS 9.9 score and 'easily exploitable' vendor characterization make this a high-priority patching target for ERP operators.
Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management component) allows a low-privileged attacker with HTTP network access to compromise the platform and impact other Oracle products via scope change. The flaw carries a CVSS 9.9 rating reflecting low attack complexity and broad confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because Enterprise Manager often holds privileged credentials for managed Oracle databases and middleware, successful exploitation effectively pivots the attacker into the wider Oracle estate.
Privilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowing a low-privileged remote attacker with HTTP network access to fully compromise the Shell with confidentiality, integrity, and availability impact. Because the CVSS vector indicates a scope change (S:C), successful exploitation propagates impact beyond the Shell itself into adjacent components the extension connects to, such as MySQL servers managed through the VS Code workflow. No public exploit identified at time of analysis, but the 9.9 base score and 'easily exploitable' wording from Oracle warrant urgent remediation.
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework component, where a low-privileged authenticated attacker with HTTPS access can fully compromise the platform and impact adjacent products via a scope change. The flaw carries a CVSS 3.1 score of 9.9 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Oracle disclosed this in the June 2026 Critical Patch Update advisory (cspujun2026), and exploitation is rated low complexity.
Account takeover of Oracle WebCenter Enterprise Capture (12.2.1.4.0 and 14.1.2.0.0) is achievable by a low-privileged attacker with network access to the T3 or IIOP protocols. The CVSS 9.9 score reflects a scope-changing flaw in the Client Bundle component that can pivot beyond the originally compromised product, with full impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis, but Oracle's own CPU advisory confirms the issue and the low attack complexity makes it a high-priority patching target.
Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker to read, modify, or delete all framework-accessible data and partially disrupt service via HTTP. Because CVSS scope is Changed, exploitation impacts additional Oracle E-Business Suite products beyond the Framework itself, driving the 9.9 base score. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker over HTTP to gain unauthorized read, modify, and delete access to all framework-accessible data, with scope change extending impact to other Oracle E-Business Suite products. The CVSS 9.9 score reflects low attack complexity, low privileges required, and the scope change that crosses security boundaries into adjacent products. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Remote code execution in the Filipe Nasc RD Station WordPress plugin (versions up to and including 5.6.0) allows authenticated attackers to inject and execute arbitrary PHP code through an improper code-generation control flaw. The issue carries a critical CVSS 3.1 score of 9.9 with a scope-changing impact, and no public exploit identified at time of analysis, though Patchstack has catalogued it as a Remote Code Execution vulnerability in their WordPress vulnerability database.
Privilege escalation to SUPERADMIN in Postiz (gitroomhq/postiz-app) versions prior to 2.21.8 allows any authenticated user to forge session JWTs and impersonate arbitrary organizations. The Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware blindly trusted every claim without re-resolving the user from the database. No public exploit identified at time of analysis, but the fix commit is public and the root cause is trivially reproducible from the patch diff.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor component, allowing unauthenticated network attackers to fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 9.8 critical and describes it as easily exploitable over HTTP, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.
Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Oracle E-Business Suite, is possible over HTTPS with low attack complexity. The flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8) on the Core component and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the trivial exploitability profile makes this a high-priority patching target.
Remote takeover of Oracle MySQL Router 9.0.0 through 9.7.0 is possible by unauthenticated attackers reaching the Router over HTTP, per Oracle's Critical Patch Update advisory (CPU June 2026). Oracle scores this 9.8 CVSS 3.1 with full confidentiality, integrity, and availability impact, and rates exploitation as easy. No public exploit identified at time of analysis and the CVE is not present in CISA KEV, but the network-reachable, no-auth, low-complexity profile makes it a high-priority patch.
Remote takeover of Oracle Agile PLM 9.3.6 is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. The Security component flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Tags indicate information disclosure as a key consequence, though the vector permits complete product compromise.
Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network attackers to fully compromise the Oracle Management Service via HTTP. The flaw is rated CVSS 9.8 with low attack complexity and no user interaction, enabling complete takeover of the management platform. No public exploit identified at time of analysis, but the trivial exploitation profile and the platform's privileged role across managed Oracle estates make it a high-priority patching target.
Remote unauthenticated takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is possible via the Security Framework component, allowing attackers to fully compromise the portal over HTTPS without credentials or user interaction. Oracle rates this 9.8 CVSS (AV:N/AC:L/PR:N/UI:N) and describes exploitation as 'easily exploitable', though there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated remote takeover of Oracle WebCenter Content (Content Server component) is possible in supported versions 12.2.1.4.0 and 14.1.2.0.0 via a network-reachable HTTP attack path. The flaw carries a CVSS 9.8 with full confidentiality, integrity, and availability impact, and Oracle describes exploitation as 'easily exploitable.' No public exploit identified at time of analysis, but the combination of unauthenticated network reach and full compromise warrants prioritized patching of any internet-exposed Content Server.
Remote unauthenticated takeover of Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the OIM Legacy UI component when reachable over T3 or IIOP protocols, per Oracle's June 2026 Critical Patch Update advisory. The flaw scores CVSS 9.8 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because Identity Manager governs enterprise identity and access provisioning, successful exploitation effectively yields a tier-zero compromise of the IAM control plane.
Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with the vendor and CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) characterizing the flaw as easily exploitable and yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, the issue is not on the CISA KEV list, and no EPSS score was provided, but the 9.8 base score plus Oracle's 'takeover' wording make this a top-tier patching priority on the Oracle Critical Patch Update cycle.
Unauthenticated remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the content management platform. Oracle's June 2026 Critical Patch Update advisory rates this 9.8 CVSS and describes it as easily exploitable with no authentication or user interaction. No public exploit identified at time of analysis, but the unauthenticated network vector and high impact place this among the highest-priority items in the CPU.
Remote unauthenticated takeover of Oracle WebCenter Content: Imaging (versions 12.2.1.4.0 and 14.1.2.0.0) is possible via HTTP, per Oracle's June 2026 Critical Patch Update. With a CVSS 3.1 base score of 9.8 and AV:N/AC:L/PR:N/UI:N, the flaw in the Core component enables full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Remote takeover of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 is possible via the OUD Core component's RMI interface, allowing unauthenticated network attackers to fully compromise the LDAP directory service. Oracle rates this CVSS 9.8 with confidentiality, integrity, and availability impacts; no public exploit identified at time of analysis and it is not currently listed in CISA KEV, but the RMI attack surface and trivial complexity make it a high-priority patching target.
Unauthenticated LDAP-based takeover of Oracle Unified Directory affects supported versions 12.2.1.4.0 and 14.1.2.1.0 within Oracle Fusion Middleware, allowing a remote attacker with network reachability to the LDAP service to fully compromise the directory server. The flaw carries a CVSS 3.1 base score of 9.8 with high confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because directory services underpin enterprise identity, successful exploitation cascades into authentication and authorization decisions for every downstream application that relies on OUD.
Remote unauthenticated takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP requests to the Content Server component, per Oracle's June 2026 CPU advisory. The CVSS 9.8 score reflects full confidentiality, integrity, and availability impact with no authentication required. Status is no public exploit identified at time of analysis, but trivial exploitability against an internet-facing enterprise content platform makes this a priority patching candidate.
Remote unauthenticated takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible via the Content Server component over HTTP, scored CVSS 9.8 by Oracle. No public exploit identified at time of analysis, but the low attack complexity and lack of authentication requirement make this a high-priority patch target for any Oracle Fusion Middleware environment exposing WebCenter Content.
Remote unauthenticated takeover of Oracle Virtual Directory 12.2.1.4.0 and 14.1.2.0.0 is possible via crafted LDAP traffic, yielding full confidentiality, integrity, and availability impact (CVSS 9.8). The flaw lives in the Virtual Directory Server component of Oracle Fusion Middleware and is described by Oracle as easily exploitable over the network with no authentication or user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote takeover of Oracle Coherence (Fusion Middleware component) is possible by unauthenticated network attackers reaching the HTTP interface, per Oracle's June 2026 Critical Patch Update. Affected versions span 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0, with a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network reach make this a top-priority patch for any exposed Coherence cluster.
Remote takeover of Oracle Coherence is possible by unauthenticated attackers with HTTP network access to affected Fusion Middleware deployments running versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0. The flaw resides in the Centralized Third Party Jars component and carries a critical 9.8 CVSS score with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the trivial attack profile and Oracle's CPU disclosure pattern make weaponization likely.
Remote unauthenticated takeover of Oracle Coherence (Oracle Fusion Middleware) is possible over HTTPS, affecting supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and at the time of analysis no public exploit identified at time of analysis.
Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by unauthenticated attackers with TCP network access to the Core component. Oracle rates this 9.8 with full confidentiality, integrity, and availability impact, and characterizes it as 'easily exploitable,' though no public exploit identified at time of analysis. The flaw is disclosed via the Oracle Critical Patch Update for June 2026 and currently shows no CISA KEV listing or EPSS data.
Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated attackers over HTTP, with full compromise of confidentiality, integrity, and availability per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects network-reachable, low-complexity exploitation with no user interaction, placing this among the most severe Fusion Middleware issues in the cycle. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution and full product takeover affects Oracle WebCenter Sites 14.1.2.0.0 within Oracle Fusion Middleware, enabling unauthenticated attackers to compromise the platform over HTTP. Oracle's June 2026 Critical Patch Update rates this 9.8 (CVSS 3.1) with confidentiality, integrity, and availability all marked High, and Oracle describes it as easily exploitable. No public exploit identified at time of analysis, and CWE classification is not provided in the supplied data.
Remote takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to fully compromise the Content Server component via HTTP, with no public exploit identified at time of analysis. The CVSS 9.8 score reflects complete confidentiality, integrity, and availability impact, and Oracle disclosed the issue in its June 2026 Critical Patch Update. Organizations running Fusion Middleware-based content management should treat this as a top-priority patching item given the trivial attack complexity.
Arbitrary file upload in the Kids Online Store WordPress theme (versions up to and including 0.8.9) by themagnifico52 allows authenticated attackers to upload web shells and achieve remote code execution on the underlying server. The flaw is reported by Patchstack and carries a CVSS 3.1 score of 9.9 due to the scope-changing impact on the WordPress host. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated remote command execution in rclone's remote control daemon (rcd) affects versions 1.55.0 through 1.74.2 when started with `--rc-serve` and without HTTP authentication. A single GET or HEAD request to `/[remote:path]/object` triggers backend initialization with attacker-controlled inline remote options, executing commands as the rclone process user. No public exploit identified at time of analysis, though the GHSA advisory describes the technique in detail and notes the issue bypasses the earlier CVE-2026-41179 fix.
Remote takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) allows unauthenticated network attackers to fully compromise the Siebel Cloud Manager component via HTTP. The flaw carries a CVSS 9.8 with low attack complexity and no privileges or user interaction required, putting confidentiality, integrity, and availability at high risk. No public exploit identified at time of analysis, but Oracle's own advisory characterizes exploitation as easy.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers via HTTP, per Oracle's June 2026 Critical Patch Update. The flaw resides in the Enterprise Infrastructure Security component and carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but the trivial exploitation profile (AV:N/AC:L/PR:N/UI:N) against an internet-reachable ERP tier makes this a high-priority patching target.
Remote unauthenticated takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible via the Web Runtime Security component over HTTP, with CVSS 9.8 indicating full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network vector make this a high-priority patching target for any organization running this ERP suite. Oracle disclosed it in the June 2026 Critical Patch Update (CPU).
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET network service, yielding full confidentiality, integrity, and availability compromise of the platform. Oracle rates the issue CVSS 9.8 and describes it as easily exploitable, though no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote takeover of Oracle Siebel CRM's Siebel Apps - Marketing component (versions 17.0 through 26.5) is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. With a 9.8 CVSS base score and full confidentiality/integrity/availability impact, this represents a top-priority Oracle CPU finding, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Unauthenticated remote takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the marketing component. Oracle's CVSS 3.1 base score of 9.8 reflects trivial network exploitability with no authentication or user interaction, and no public exploit identified at time of analysis. The flaw was disclosed in Oracle's Critical Patch Update cycle and tracked in ENISA's EUVD as EUVD-2026-37381.
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is achievable over HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle's CVSS 9.8 rating reflects easy exploitation with no authentication or user interaction required, though no public exploit is identified at time of analysis and the CVE is not currently listed in CISA KEV.
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible over HTTP, requiring no privileges or user interaction. Successful exploitation yields full compromise of the Marketing component with high confidentiality, integrity, and availability impact (CVSS 9.8). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 score reflects full compromise of confidentiality, integrity, and availability via a network-reachable attack path with no user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the JDENET network protocol, granting full confidentiality, integrity, and availability impact on the ERP middleware. Oracle rates this CVSS 9.8 and describes it as easily exploitable, but at the time of analysis there is no public exploit identified and no CISA KEV listing. Defenders running JD Edwards ERP workloads should treat this as a top-priority patch from the Oracle June 2026 Critical Patch Update.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible by unauthenticated network attackers reaching the JDENET communications service, with no public exploit identified at time of analysis. The flaw resides in the Enterprise Infrastructure Security component and yields full confidentiality, integrity, and availability impact (CVSS 9.8), making any internet- or partner-network-exposed JDENET listener an urgent patching priority.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication service over the network. The flaw is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) and Oracle's own 'easily exploitable' wording indicate trivial exploitation, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not yet listed in CISA KEV.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers reaching the JDENET service. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. No EPSS or CISA KEV signal is provided, but the combination of zero prerequisites and full impact warrants priority patching of internet-exposed JDE deployments.
Remote code execution in the WC-Radio component on Google Android (Pixel) devices allows network-adjacent attackers to corrupt memory via an out-of-bounds write with no authentication or user interaction. The flaw carries a CVSS 9.8 rating and is addressed in the Pixel security bulletin dated 2026-06-01; no public exploit identified at time of analysis and EPSS is low at 0.15%.
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.