Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle describes easily exploitable unauthenticated HTTP takeover with full CIA impact, supporting AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H; no scope change indicated.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers via HTTP, per Oracle's June 2026 Critical Patch Update. The flaw resides in the Enterprise Infrastructure Security component and carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network HTTP reachability to a JD Edwards EnterpriseOne Tools 9.2.0.0-9.2.26.2 deployment with the Enterprise Infrastructure Security component in its default supported configuration; no authentication, no user interaction, and no special non-default feature toggle are called out by Oracle. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to high real-world risk: the CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H describes a network-reachable, low-complexity, no-auth, no-interaction attack yielding full takeover, and Oracle's own description characterizes it as 'easily exploitable.' EPSS, KEV, and SSVC data are not provided in the input, so probability-of-exploitation and active-exploitation status cannot be quantified - this is a data gap rather than evidence of low risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a JD Edwards EnterpriseOne Tools HTTP endpoint - for example an exposed HTML Server or AIS Server - sends a crafted HTTP request that bypasses Enterprise Infrastructure Security checks, gaining the equivalent of a privileged Tools session without credentials. From there the attacker can read or alter ERP master data, financial transactions, and security configuration, and pivot into connected database and integration servers. … |
| Remediation | Apply the fixes shipped in Oracle's Critical Patch Update for June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html); the CPU contains the Tools update that supersedes 9.2.26.2 - administrators should consult the CPU advisory matrix for the exact target Tools release applicable to their environment, as no fixed version is independently confirmed in the input data beyond 'patch available per vendor advisory.' Until the CPU is applied, restrict network reachability of the JD Edwards HTML Server, AIS Server, and Server Manager endpoints to trusted management networks via firewall or reverse-proxy ACLs, and place a WAF in front of internet- or partner-facing JDE web tiers to filter anomalous HTTP requests - note that AIS REST clients and integrations may break if allowlists are too narrow. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37228