48
Open CVEs
0
Exploited
0
KEV
31
Unpatched
8
No Workaround
32
Internet-facing
Why this provider is risky now
This provider has 48 open CVE(s) in the last 30 days. 31 have no vendor patch. 32 affect internet-facing services. 19 impact the management/identity plane.
31 Unpatched
19 Mgmt / Admin Plane
8 No Workaround
32 Internet-facing
Top Risky CVEs
Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to compromise the service over HTTPS and pivot into adjacent products due to a scope-changing flaw. With a maximum CVSS 10.0 score and trivial exploitability (AV:N/AC:L/PR:N/UI:N), this Backend-as-a-Service component vulnerability poses critical risk, though no public exploit identified at time of analysis and no EPSS or CISA KEV signal has been provided in the available data.
Within 24 hours: Inventory all ORDS deployments and identify instances running versions 24.2.0-26.1.0; isolate vulnerable ORDS instances using network segmentation; enable audit logging on all ORDS instances. Within 7 days: Deploy Web Application Firewall (WAF) or Intrusion Prevention System (IPS) rules targeting CVE-2026-46840; restrict ORDS network access to authorized clients and IP ranges only; increase security monitoring and alerting frequency. Within 30 days: Contact Oracle for patched version availability and security timeline; develop and test ORDS upgrade plan; conduct comprehensive security assessment of all systems connected to potentially compromised ORDS instances.
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Access Control)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
10.0
CVSS
0.0%
EPSS
50
Priority
Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote attacker over HTTPS, with scope-changed impact extending to additional Oracle products beyond ORDS itself. Oracle rates this 9.9 CVSS due to the combination of low attack complexity, minimal privilege requirement, and full confidentiality/integrity/availability compromise; no public exploit identified at time of analysis, but the easy exploitability noted in Oracle's advisory makes this a high-priority patch target.
Within 24 hours: Conduct inventory of all ORDS instances running versions 24.2.0-26.1.0 and document their network access paths and data connectivity. Within 7 days: Implement strict network access controls (IP whitelisting, WAF rules, firewall policies) limiting ORDS connections to necessary systems only; enable detailed audit logging on all ORDS instances. Within 30 days: Monitor Oracle security advisories for patch release; prepare and test upgrade procedures for all affected instances; evaluate temporary workload migration for critical applications if feasible while awaiting patch.
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Access Control)
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.9
CVSS
0.0%
EPSS
50
Priority
Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged attacker with HTTP network access to fully compromise the iAssets component and pivot into adjacent products via a scope change. The 9.9 CVSS score reflects high impact on confidentiality, integrity, and availability combined with low attack complexity; no public exploit identified at time of analysis, but Oracle's inclusion in the May 2026 Critical Patch Update warrants immediate attention.
Within 24 hours: Identify all systems running Oracle E-Business Suite versions 12.2.3-12.2.15; document iAssets deployment scope and user access patterns; review authentication logs for suspicious account activity. Within 7 days: Implement network segmentation restricting iAssets HTTP access to authorized users and networks only; enforce multi-factor authentication on all iAssets administrative accounts; disable iAssets component if operationally feasible. Within 30 days: Monitor Oracle security advisories for patch release; prioritize upgrade to versions beyond 12.2.15 when patch becomes available, or evaluate migration to Oracle Cloud Applications as long-term remediation.
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Access Control)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.9
CVSS
0.0%
EPSS
50
Priority
Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows low-privileged remote attackers over HTTP to fully compromise the product with confidentiality, integrity, and availability impact. The CVSS 9.9 score reflects a scope-changing flaw whose blast radius extends to other Oracle E-Business Suite products beyond Universal Work Queue itself. No public exploit identified at time of analysis, but the low attack complexity and minimal privilege requirement make this a high-priority Oracle Critical Patch Update item.
Within 24 hours: Inventory all Oracle E-Business Suite deployments and identify instances running versions 12.2.3 through 12.2.15. Within 7 days: Restrict HTTP network access to Universal Work Queue administration interfaces via firewall/WAF rules; enable enhanced authentication logging and real-time alerting on suspicious account activity. Within 30 days: Subscribe to Oracle Critical Patch Update channels; prepare emergency change management procedures to deploy patched versions (12.2.15-patch or later) immediately upon vendor release.
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Privilege Management)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.9
CVSS
0.0%
EPSS
50
Priority
Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker over HTTPS to fully compromise the service and pivot into adjacent products via a CVSS scope change. CVSS 3.1 base score is 9.9 with attack complexity rated low, and no public exploit identified at time of analysis. The scope-change designation is the key differentiator - successful exploitation extends beyond ORDS itself into systems it fronts, most notably the backing Oracle Database.
Within 24 hours: Identify and inventory all systems running ORDS 24.2.0 through 26.1.0; assess network exposure and access paths to affected instances. Within 7 days: Implement network segmentation restricting ORDS access to authorized internal sources only; enable enhanced logging on ORDS endpoints and database authentication; rotate credentials for service accounts with ORDS access. Within 30 days: Monitor Oracle security advisories for patch availability; conduct architecture review to isolate ORDS from direct database connectivity; develop and test upgrade strategy to a patched ORDS version once released.
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Access Control)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.9
CVSS
0.0%
EPSS
50
Priority
Remote takeover of Oracle Hospitality OPERA 5 Property Services (versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28) is achievable by unauthenticated network attackers over HTTP, per Oracle's May 2026 CPU. With CVSS 9.8 and full CIA impact, this is a critical hospitality-sector exposure, though no public exploit is identified at time of analysis and KEV status is not present. EPSS data was not supplied, so probability-of-exploitation cannot be quantified.
Within 24 hours: Identify all systems running OPERA 5 versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, or 5.6.28; assess network exposure and restrict HTTP access to trusted administrative networks only via firewall rules. Within 7 days: Deploy network-based access restrictions (WAF/load balancer rules); enable comprehensive logging and real-time alerting for OPERA 5 anomalous activity. Within 30 days: Establish daily monitoring of Oracle security advisories for patch release; evaluate upgrade paths or air-gap deployment options for affected properties; prioritize remediation workflow for immediate deployment once patch is available.
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Oracle Database
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
9.8
CVSS
0.0%
EPSS
49
Priority
Remote takeover of Oracle Payments in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible via the File Transmission component, allowing unauthenticated network-based attackers to fully compromise confidentiality, integrity, and availability (CVSS 9.8). The flaw is described by Oracle as easily exploitable over HTTP with no user interaction, and no public exploit identified at time of analysis. Tagged as Information Disclosure and listed in Oracle's May 2026 Critical Patch Update advisory.
Within 24 hours: Identify all Oracle E-Business Suite instances in your environment and document which are running versions 12.2.3-12.2.15. Contact Oracle support to confirm patch timeline and request vulnerability management guidance. Within 7 days: Implement firewall rules restricting HTTP access to the Payments module to authorized administrative networks only; consider disabling the File Transmission component if operationally feasible; increase monitoring of Payments module activity logs for anomalous access. Within 30 days: Plan and schedule upgrade to Oracle E-Business Suite versions 12.2.16 or later (once Oracle confirms patch availability); document baseline access patterns to identify exploitation attempts during the interim period.
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Privilege Management)
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.8
CVSS
0.0%
EPSS
49
Priority
CVE-2026-29080
Act Now
SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects.
Within 24 hours: Identify all Rucio instances using Oracle backends (check database configuration in rucio.cfg) and verify installed versions against the affected range (1.27.0-40.1.0). Within 7 days: Apply vendor-released patches for your version branch (check Rucio releases page for Oracle-specific patches; patch availability confirmed across four version branches per vendor advisory). If patching is not immediately possible, restrict DID search API access to essential users only via reverse proxy/WAF rules blocking /dids/search endpoints. Within 30 days: Complete migration or patching of all affected instances; conduct data access audit to identify any suspicious database queries during vulnerability window.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-89: SQL Injection)
- • Third-party ICT: Oracle Database, PostgreSQL
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • ICT provider: PostgreSQL (Databases & Data Platforms)
9.4
CVSS
0.1%
EPSS
47
Priority
CVE-2026-27886
Act Now
Boolean-oracle information disclosure in Strapi Content API allows remote unauthenticated attackers to extract admin password-reset tokens and achieve full administrative account takeover. Strapi versions 4.0.0 through 5.36.1 fail to sanitize relational query parameters on public content-type endpoints. By crafting `where` filters that traverse into joined `admin_users` table columns (e.g., `where[updatedBy][resetPasswordToken][$startsWith]=a`), attackers perform character-by-character oracle attacks against private admin fields, then use the extracted reset token to hijack administrator accounts. WildWest CyberSecurity reports this critical vulnerability with CVSS 9.3, affecting all Strapi deployments with public content-types containing admin-relation fields (`updatedBy`, `createdBy`, `publishedBy`). Vendor-released patch available in version 5.37.0. No active exploitation or public POC identified at time of analysis.
Within 24 hours: Identify all Strapi deployments in production and development; verify versions against 4.0.0-5.36.1; audit content-type schemas for admin-relation fields (updatedBy, createdBy, publishedBy). Within 7 days: Apply vendor-released patch to Strapi 5.37.0 or later across all affected instances; conduct password reset for all administrator accounts as precautionary measure. Within 30 days: Review access logs for suspicious `where` filter patterns on content endpoints; implement request logging and anomaly detection for relational query parameters; perform security audit of admin account activity.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-22: Path Traversal)
- • Third-party ICT: Oracle Database
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
9.2
CVSS
0.1%
EPSS
46
Priority
Remote unauthenticated compromise of Oracle Internet Procurement Connector (a component of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows attackers to read, modify, create, or delete all data accessible to the component over HTTP. The CVSS 9.1 score reflects high confidentiality and integrity impact with low attack complexity and no privileges or user interaction required. No public exploit identified at time of analysis, but the trivial exploitability profile combined with EBS's history of being targeted (e.g., CVE-2025 Cl0p campaigns) makes this a priority patch for any internet-exposed deployment.
24 hours: Inventory all Oracle E-Business Suite instances running versions 12.2.3-12.2.15 and identify any with internet-exposed Oracle Internet Procurement Connector endpoints. 7 days: Restrict HTTP/HTTPS access to the vulnerable component to internal networks only through network segmentation, WAF rules, or access control lists; enable detailed logging on procurement module transactions. 30 days: Contact Oracle support for patch status and timeline; evaluate decommissioning or version upgrade for affected EBS systems; conduct penetration testing to validate compensating control effectiveness.
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Access Control)
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.1
CVSS
0.0%
EPSS
46
Priority
By Exposure
Internet-facing
32
Mgmt / Admin Plane
19
Identity / Auth
5
Internal only
11
By Exploitability
Known exploited
0
Public PoC
0
High EPSS (>30%)
0
Remote unauthenticated
24
Local only
3
By Remediation
Patch available
17
No patch
31
Workaround available
27
No workaround
8
Affected Services / Product Families
Oracle
48 CVE(s)
+ 38 more