175
Open CVEs
0
Exploited
0
KEV
130
Unpatched
102
No Workaround
117
Internet-facing
Why this provider is risky now
This provider has 175 open CVE(s) in the last 90 days. 130 have no vendor patch. 117 affect internet-facing services. 87 impact the management/identity plane.
130 Unpatched
87 Mgmt / Admin Plane
2 Public PoC
102 No Workaround
117 Internet-facing
Top Risky CVEs
A critical authentication bypass vulnerability in Oracle Identity Manager and Oracle Web Services Manager allows remote attackers to completely compromise affected systems without any credentials. The vulnerability resides in the REST WebServices and Web Services Security components, affecting versions 12.2.1.4.0 and 14.1.2.1.0 of both products. With a CVSS score of 9.8 and no authentication required, this represents a severe risk to identity management infrastructure, though no current KEV listing or public POC has been documented in available sources.
Within 24 hours: Identify all instances of Oracle Identity Manager and Web Services Manager in your environment; isolate affected systems from public network access and document current user activity logs. Within 7 days: Implement network segmentation to restrict access to affected systems, deploy WAF rules to block suspicious WebServices REST API requests, and disable Web Services Security components if operationally feasible. Within 30 days: Contact Oracle for patch status and expedited security updates; evaluate alternative identity management solutions; conduct forensic analysis for signs of exploitation; implement enhanced monitoring and alerting for authentication-related anomalies.
Edge exposure
ICT dependency
No patch available
Management plane
PoC
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-306: Missing Authentication for Critical Function)
- • Third-party ICT: Oracle Database
- • Proof of concept available
- • No patch available
- • Management plane (Missing Authentication for Critical Function)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.8
CVSS
0.0%
EPSS
69
Priority
CVE-2026-28490
This Month
Authlib's implementation of the JWE RSA1_5 key management algorithm contains a padding oracle vulnerability that leaks decryption failures through timing and exception patterns, allowing attackers to decrypt sensitive data without the private key. The library disabled the constant-time protections provided by the underlying cryptography library and raises exceptions before tag validation completes, creating a reliable side-channel. Public exploit code exists for this vulnerability affecting Authlib users in Python and related Oracle products.
Within 24 hours: Identify all applications and services using Authlib library and verify which are actively using RSA1_5 key management algorithm. Within 7 days: Apply the available patch to all affected systems and conduct regression testing of authentication and encryption workflows. Within 30 days: Conduct cryptographic audit of all JWE implementations and migrate from RSA1_5 to RSA-OAEP or ECDH-ES algorithms where feasible.
Edge exposure
ICT dependency
PoC
Patched
Why flagged?
6.5
CVSS
0.0%
EPSS
53
Priority
Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to compromise the service over HTTPS and pivot into adjacent products due to a scope-changing flaw. With a maximum CVSS 10.0 score and trivial exploitability (AV:N/AC:L/PR:N/UI:N), this Backend-as-a-Service component vulnerability poses critical risk, though no public exploit identified at time of analysis and no EPSS or CISA KEV signal has been provided in the available data.
Within 24 hours: Inventory all ORDS deployments and identify instances running versions 24.2.0-26.1.0; isolate vulnerable ORDS instances using network segmentation; enable audit logging on all ORDS instances. Within 7 days: Deploy Web Application Firewall (WAF) or Intrusion Prevention System (IPS) rules targeting CVE-2026-46840; restrict ORDS network access to authorized clients and IP ranges only; increase security monitoring and alerting frequency. Within 30 days: Contact Oracle for patched version availability and security timeline; develop and test ORDS upgrade plan; conduct comprehensive security assessment of all systems connected to potentially compromised ORDS instances.
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Access Control)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
10.0
CVSS
0.0%
EPSS
50
Priority
Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote attacker over HTTPS, with scope-changed impact extending to additional Oracle products beyond ORDS itself. Oracle rates this 9.9 CVSS due to the combination of low attack complexity, minimal privilege requirement, and full confidentiality/integrity/availability compromise; no public exploit identified at time of analysis, but the easy exploitability noted in Oracle's advisory makes this a high-priority patch target.
Within 24 hours: Conduct inventory of all ORDS instances running versions 24.2.0-26.1.0 and document their network access paths and data connectivity. Within 7 days: Implement strict network access controls (IP whitelisting, WAF rules, firewall policies) limiting ORDS connections to necessary systems only; enable detailed audit logging on all ORDS instances. Within 30 days: Monitor Oracle security advisories for patch release; prepare and test upgrade procedures for all affected instances; evaluate temporary workload migration for critical applications if feasible while awaiting patch.
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Access Control)
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.9
CVSS
0.0%
EPSS
50
Priority
Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged attacker with HTTP network access to fully compromise the iAssets component and pivot into adjacent products via a scope change. The 9.9 CVSS score reflects high impact on confidentiality, integrity, and availability combined with low attack complexity; no public exploit identified at time of analysis, but Oracle's inclusion in the May 2026 Critical Patch Update warrants immediate attention.
Within 24 hours: Identify all systems running Oracle E-Business Suite versions 12.2.3-12.2.15; document iAssets deployment scope and user access patterns; review authentication logs for suspicious account activity. Within 7 days: Implement network segmentation restricting iAssets HTTP access to authorized users and networks only; enforce multi-factor authentication on all iAssets administrative accounts; disable iAssets component if operationally feasible. Within 30 days: Monitor Oracle security advisories for patch release; prioritize upgrade to versions beyond 12.2.15 when patch becomes available, or evaluate migration to Oracle Cloud Applications as long-term remediation.
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Access Control)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.9
CVSS
0.0%
EPSS
50
Priority
Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows low-privileged remote attackers over HTTP to fully compromise the product with confidentiality, integrity, and availability impact. The CVSS 9.9 score reflects a scope-changing flaw whose blast radius extends to other Oracle E-Business Suite products beyond Universal Work Queue itself. No public exploit identified at time of analysis, but the low attack complexity and minimal privilege requirement make this a high-priority Oracle Critical Patch Update item.
Within 24 hours: Inventory all Oracle E-Business Suite deployments and identify instances running versions 12.2.3 through 12.2.15. Within 7 days: Restrict HTTP network access to Universal Work Queue administration interfaces via firewall/WAF rules; enable enhanced authentication logging and real-time alerting on suspicious account activity. Within 30 days: Subscribe to Oracle Critical Patch Update channels; prepare emergency change management procedures to deploy patched versions (12.2.15-patch or later) immediately upon vendor release.
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Privilege Management)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.9
CVSS
0.0%
EPSS
50
Priority
Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker over HTTPS to fully compromise the service and pivot into adjacent products via a CVSS scope change. CVSS 3.1 base score is 9.9 with attack complexity rated low, and no public exploit identified at time of analysis. The scope-change designation is the key differentiator - successful exploitation extends beyond ORDS itself into systems it fronts, most notably the backing Oracle Database.
Within 24 hours: Identify and inventory all systems running ORDS 24.2.0 through 26.1.0; assess network exposure and access paths to affected instances. Within 7 days: Implement network segmentation restricting ORDS access to authorized internal sources only; enable enhanced logging on ORDS endpoints and database authentication; rotate credentials for service accounts with ORDS access. Within 30 days: Monitor Oracle security advisories for patch availability; conduct architecture review to isolate ORDS from direct database connectivity; develop and test upgrade strategy to a patched ORDS version once released.
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Access Control)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.9
CVSS
0.0%
EPSS
50
Priority
This is a critical unauthenticated remote code execution vulnerability in Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0. An attacker with network access via HTTP can completely take over the affected system without any authentication, privileges, or user interaction required. The CVSS score of 9.8 reflects maximum impact across confidentiality, integrity, and availability. There is no evidence of active exploitation (not in CISA KEV), and no proof-of-concept code has been publicly identified in the available intelligence.
Within 24 hours: Identify all instances of version 0.3.0 in production and development environments; isolate affected systems from untrusted networks if possible. Within 7 days: Implement network-level access controls (restrict HTTP access to authorized users/IPs only); deploy WAF rules to block suspicious requests; escalate with Oracle for patch timeline. Within 30 days: Plan migration to patched version upon Oracle's release; conduct security assessment of affected systems; review access logs for evidence of exploitation.
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Improper Access Control)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.8
CVSS
0.0%
EPSS
49
Priority
Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: Setup and Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploi
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-306: Missing Authentication for Critical Function)
- • Third-party ICT: Oracle Database
- • No patch available
- • Management plane (Missing Authentication for Critical Function)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
- • Authentication / access control weakness
9.8
CVSS
0.0%
EPSS
49
Priority
Remote takeover of Oracle Hospitality OPERA 5 Property Services (versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28) is achievable by unauthenticated network attackers over HTTP, per Oracle's May 2026 CPU. With CVSS 9.8 and full CIA impact, this is a critical hospitality-sector exposure, though no public exploit is identified at time of analysis and KEV status is not present. EPSS data was not supplied, so probability-of-exploitation cannot be quantified.
Within 24 hours: Identify all systems running OPERA 5 versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, or 5.6.28; assess network exposure and restrict HTTP access to trusted administrative networks only via firewall rules. Within 7 days: Deploy network-based access restrictions (WAF/load balancer rules); enable comprehensive logging and real-time alerting for OPERA 5 anomalous activity. Within 30 days: Establish daily monitoring of Oracle security advisories for patch release; evaluate upgrade paths or air-gap deployment options for affected properties; prioritize remediation workflow for immediate deployment once patch is available.
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Oracle Database
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Oracle Database (Databases & Data Platforms)
- • No remediation available
9.8
CVSS
0.0%
EPSS
49
Priority
By Exposure
Internet-facing
117
Mgmt / Admin Plane
87
Identity / Auth
20
Internal only
51
By Exploitability
Known exploited
0
Public PoC
2
High EPSS (>30%)
0
Remote unauthenticated
73
Local only
19
By Remediation
Patch available
45
No patch
130
Workaround available
44
No workaround
102
Affected Services / Product Families
Oracle
175 CVE(s)
+ 165 more