What is the CVSS score of EUVD-2026-33017?

EUVD-2026-33017 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Which versions of Oracle REST Data Services are affected by EUVD-2026-33017?

Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 contain a critical privilege escalation vulnerability (CVSS 9.9) that enables remote attackers to fully compromise the service and…

Oracle REST Data Services EUVD-2026-33017

| CVE-2026-46839 CRITICAL

2026-05-28 oracle

GHSA-4c2q-9g38-8v79

Information Disclosure Oracle

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 21:21 vuln.today

DescriptionNVD

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker over HTTPS to fully compromise the service and pivot into adjacent products via a CVSS scope change. CVSS 3.1 base score is 9.9 with attack complexity rated low, and no public exploit identified at time of analysis. …

RemediationAI

Within 24 hours: Identify and inventory all systems running ORDS 24.2.0 through 26.1.0; assess network exposure and access paths to affected instances. Within 7 days: Implement network segmentation restricting ORDS access to authorized internal sources only; enable enhanced logging on ORDS endpoints and database authentication; rotate credentials for service accounts with ORDS access. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-46840 CRITICAL Act Now

10.0 May 28

Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to c

CVE-2026-46775 CRITICAL Act Now

9.9 May 28

Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote att

CVE-2026-46822 CRITICAL Act Now

9.9 May 28

Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privil

CVE-2026-46824 CRITICAL Act Now

9.9 May 28

Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Bus

CVE-2026-34311 CRITICAL Act Now

9.8 May 28

Remote takeover of Oracle Hospitality OPERA 5 Property Services (versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.

EUVD-2026-33017 vulnerability details – vuln.today

Back

Oracle REST Data Services EUVD-2026-33017

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code