Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable so AV:N, no special conditions AC:L, requires existing high-privileged ADF account so PR:H, no victim action UI:N, full takeover gives C/I/A:H.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Shared Components). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0, where an attacker with high privileges and HTTP network access to the ADF Shared Components can fully compromise the product. The CVSS 3.1 base score is 7.2 with high impact to confidentiality, integrity, and availability, and Oracle classifies the issue as easily exploitable once authentication is obtained. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already possess high privileges on the target Oracle ADF deployment (PR:H) and network HTTP reachability to the ADF Shared Components interface; no user interaction is needed (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H produces a base score of 7.2 (High), driven by full C/I/A impact but tempered by the PR:H requirement that the attacker already hold high privileges within the ADF environment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already obtained high-privileged credentials on an Oracle Fusion Middleware environment - for example through a phished administrator account or a chained exploit elsewhere in the stack - sends crafted HTTP requests to the ADF Shared Components interface. Because the vector is AC:L and UI:N, the request requires no special timing and no victim interaction, and a successful request results in full takeover of the ADF instance with high impact to confidentiality, integrity, and availability. … |
| Remediation | Apply the patches distributed in the Oracle Critical Security Patch Update for June 2026 referenced at https://www.oracle.com/security-alerts/cspujun2026.html - patch available per vendor advisory, with exact patched build numbers identified in the CPU matrix for the 12.2.1.4.0 and 14.1.2.0.0 release lines. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running Oracle Fusion Middleware ADF 12.2.1.4.0 and 14.1.2.0.0; implement network access restrictions to ADF Shared Components limiting HTTP connectivity to administrative users only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-site scripting or authentication bypass in Oracle Application Development Framework (ADF) Security Framework compo
Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnera
Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 ex
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37458