Skip to main content

Authentication Bypass

31263 CVEs technique

Monthly

CVE-2026-46976 HIGH This Week

Full takeover of Oracle Public Sector Payroll (E-Business Suite 12.2.3-12.2.15) is possible by a high-privileged, network-adjacent attacker exploiting a flaw in the Internal Operations component, with confidentiality, integrity, and availability all fully impacted. Oracle's June 2026 Critical Patch Update describes the issue as easily exploitable over HTTP once privileges are held, and no public exploit identified at time of analysis. CVSS 3.1 base score is 7.2.

Oracle Oracle Public Sector Payroll Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46974 HIGH This Week

Privileged local compromise of Oracle VM VirtualBox 7.2.8 allows an attacker already authenticated to the host with high privileges to take over the VirtualBox installation and cross the hypervisor boundary into additional products (scope-changed). Oracle's CPU advisory rates this CVSS 3.1 7.5 with high attack complexity; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Oracle Oracle Vm Virtualbox Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-46973 HIGH This Week

Account takeover in Oracle Outsourced Mfg for Discrete Industries (component: Internal Operations) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker to fully compromise the module over HTTP. With CVSS 3.1 base score 8.8 and high impact on confidentiality, integrity, and availability, this is a high-priority patching item, though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Oracle Oracle Outsourced Mfg For Discrete Industries Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46972 HIGH This Week

Full takeover of Oracle Outsourced Mfg for Discrete Industries (component: Internal Operations) is achievable by a low-privileged authenticated attacker over HTTP, per Oracle's June 2026 Critical Patch Update advisory. The CVSS 3.1 base score of 8.8 reflects high impact across confidentiality, integrity, and availability with low attack complexity, though no public exploit identified at time of analysis. Affected versions span 12.2.3 through 12.2.15 of Oracle E-Business Suite.

Oracle Oracle Outsourced Mfg For Discrete Industries Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46969 HIGH This Week

Privileged takeover of Oracle Financials for EMEA (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows an authenticated high-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the module. The CVSS 3.1 base score is 7.2 with vector AV:N/AC:L/PR:H/UI:N, and there is no public exploit identified at time of analysis.

Oracle Oracle Financials For Emea Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46967 HIGH This Week

Authorization flaw in Oracle Public Sector Financials (International) versions 12.2.3 through 12.2.15 enables low-privileged authenticated attackers with HTTP network access to fully take over the affected component. Oracle's Critical Patch Update describes the issue as easily exploitable with high impact to confidentiality, integrity, and availability (CVSS 8.8). No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Oracle Oracle Public Sector Financials International Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46966 HIGH This Week

Takeover of Oracle Universal Work Queue is possible in Oracle E-Business Suite versions 12.2.3 through 12.2.15 via the Work Provider Site Level Administration component, where a low-privileged attacker with HTTP network access can fully compromise confidentiality, integrity, and availability of the module. Oracle classifies the issue as difficult to exploit (AC:H), and no public exploit identified at time of analysis. The flaw was disclosed in the Oracle Critical Patch Update of June 2026.

Oracle Oracle Universal Work Queue Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-46965 HIGH This Week

Account takeover in Oracle Universal Work Queue (Oracle E-Business Suite 12.2.3 through 12.2.15) allows a low-privileged attacker with HTTP network access to fully compromise the Work Provider Site Level Administration component. Oracle rates this as easily exploitable with full confidentiality, integrity, and availability impact (CVSS 3.1 base 8.8), though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Oracle Oracle Universal Work Queue Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46964 CRITICAL Act Now

Privilege escalation and full takeover of Oracle Universal Work Queue (component: Work Provider Site Level Administration) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker over HTTP to compromise the application with scope change extending impact to additional products. The CVSS 3.1 base score is 9.9 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis.

Oracle Oracle Universal Work Queue Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46963 CRITICAL Act Now

Account takeover in Oracle Universal Work Queue (Oracle E-Business Suite 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the component via HTTP, with a scope change that can significantly impact other connected products. The CVSS 3.1 base score of 9.9 reflects high confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis. Authenticated EBS users - including low-tier business users - should be treated as potential threat actors against this surface.

Oracle Oracle Universal Work Queue Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46962 HIGH This Week

Authenticated takeover of Oracle Project Portfolio Analysis (E-Business Suite versions 12.2.3 through 12.2.15) is possible over HTTP, allowing a low-privileged attacker to fully compromise the application's confidentiality, integrity, and availability. Oracle rates this as easily exploitable with a CVSS 3.1 base score of 8.8, though no public exploit identified at time of analysis. The flaw resides in the Internal Operations component and was disclosed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Project Portfolio Analysis Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46961 HIGH This Week

Account takeover in Oracle Project Portfolio Analysis (E-Business Suite component Internal Operations) versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the module over HTTP. Oracle's June 2026 Critical Patch Update rates the issue 8.8 with high confidentiality, integrity, and availability impacts, and the CVSS vector flags it as easily exploitable; no public exploit identified at time of analysis and the issue is not on CISA KEV.

Oracle Oracle Project Portfolio Analysis Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46960 HIGH This Week

Full product takeover of Oracle Project Portfolio Analysis (E-Business Suite component Internal Operations) is possible by an authenticated high-privileged attacker over HTTP, affecting supported versions 12.2.3 through 12.2.15. The flaw yields complete confidentiality, integrity, and availability impact on the application. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Oracle Project Portfolio Analysis Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46959 HIGH This Week

Takeover of Oracle Subledger Accounting (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows an authenticated low-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the module. Although the CVSS 3.1 base score is 7.5 with high impact across all three pillars, the AC:H rating signals non-trivial exploitation requirements, and there is no public exploit identified at time of analysis.

Oracle Oracle Subledger Accounting Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-46957 HIGH This Week

Takeover of Oracle iSupplier Portal (E-Business Suite versions 12.2.3 through 12.2.15) is achievable by a low-privileged remote attacker over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw is rated CVSS 7.5 with high confidentiality, integrity, and availability impact, but carries high attack complexity, suggesting non-trivial preconditions. There is no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Oracle Oracle Isupplier Portal Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-46956 HIGH This Week

Takeover of Oracle Property Manager (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by a high-privileged attacker with HTTP network access, with no public exploit identified at time of analysis. Oracle rates the issue easily exploitable with full confidentiality, integrity, and availability impact, but the PR:H requirement narrows the practical attacker pool to those already holding elevated EBS application privileges. The flaw is disclosed in the Oracle Critical Patch Update of June 2026 and tagged as Information Disclosure / Oracle Property Manager.

Oracle Oracle Property Manager Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46952 HIGH This Week

Account takeover in the Oracle Quality module of Oracle E-Business Suite 12.2.3 through 12.2.15 allows a low-privileged attacker with HTTP network access to fully compromise the Quality component, impacting confidentiality, integrity, and availability (CVSS 3.1 8.8). The flaw resides in the Internal Operations component and is rated easily exploitable by Oracle's own advisory, though no public exploit identified at time of analysis and the issue is not yet listed in CISA KEV.

Oracle Oracle Quality Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46951 HIGH This Week

Account takeover of the Oracle Quality module in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the component over HTTP. Per the vendor's June 2026 Critical Patch Update advisory the issue is rated CVSS 8.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Risk is elevated for internet- or intranet-exposed EBS deployments because exploitation is rated 'easily exploitable' and only requires a valid low-privilege session.

Oracle Oracle Quality Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46950 HIGH This Week

Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite component, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker with HTTP access to fully compromise the product's confidentiality, integrity, and availability. Oracle has published a fix in the June 2026 Critical Patch Update, and the CVSS 3.1 base score of 8.8 reflects an easily exploitable network-borne flaw, though no public exploit identified at time of analysis and EPSS data was not provided.

Oracle Oracle Advanced Outbound Telephony Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46949 CRITICAL Act Now

Remote unauthenticated compromise of Oracle Advanced Outbound Telephony (Oracle E-Business Suite, Internal Operations component) versions 12.2.3 through 12.2.15 allows attackers to read, create, modify, or delete all data accessible to the application via HTTP. Oracle rates the issue 9.1 (CVSS 3.1) due to network attack vector with no authentication and high confidentiality and integrity impact, though availability is unaffected. No public exploit identified at time of analysis, but the trivial exploitability and EBS exposure profile make it a priority patch.

Authentication Bypass Oracle Oracle Advanced Outbound Telephony
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-46947 HIGH This Week

Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the component over HTTP. The Internal Operations component is exposed to authenticated users with network reach, and successful exploitation yields high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Advanced Outbound Telephony Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46946 CRITICAL Act Now

Takeover of Oracle iSupport in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, with scope-changed impact extending to additional EBS components. The CVSS 3.1 base score of 9.1 reflects full confidentiality, integrity, and availability loss beyond the vulnerable component itself. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Oracle Isupport Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-46945 CRITICAL Act Now

Privileged remote takeover of Oracle iSupport (Oracle E-Business Suite, Internal Operations component) affects versions 12.2.3 through 12.2.15, where an authenticated high-privilege attacker with HTTP access can fully compromise the application with scope change into adjacent E-Business Suite components. The CVSS 9.1 score reflects the cross-component blast radius rather than ease of access, since PR:H means the attacker must already hold elevated privileges. No public exploit identified at time of analysis and the issue is not listed on CISA KEV.

Oracle Oracle Isupport Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-46944 CRITICAL Act Now

Full takeover of Oracle iSupport (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, with a scope change that lets the attack significantly impact additional products beyond iSupport itself. The flaw carries a CVSS 3.1 base score of 9.1 with confidentiality, integrity, and availability all rated High, and no public exploit identified at time of analysis. The vendor (Oracle) is the sole reporting source via the June 2026 Critical Patch Update advisory.

Oracle Oracle Isupport Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-46939 HIGH This Week

Authenticated data tampering and disclosure in Oracle Configure to Order (Oracle E-Business Suite) versions 12.2.3 through 12.2.15 allows a low-privileged attacker with network access via HTTP to fully read, modify, create, or delete all data accessible to the Supply to Order Workbench component. Oracle rates the issue CVSS 8.1 and describes it as easily exploitable; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Oracle Oracle Configure To Order
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46938 HIGH This Week

Full compromise of Oracle Cost Management (component: Cost Planning) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, resulting in takeover of the module with high confidentiality, integrity, and availability impact. Oracle's Critical Patch Update for June 2026 (cspujun2026) classifies this as easily exploitable once the privilege prerequisite is met. No public exploit identified at time of analysis and no CISA KEV listing observed.

Oracle Oracle Cost Management Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46935 HIGH This Week

Full takeover of Oracle Complex Maintenance, Repair and Overhaul (CMRO) versions 12.2.3 through 12.2.15 is possible by an authenticated low-privileged attacker over HTTP against the Internal Operations component. Successful exploitation yields high impact to confidentiality, integrity, and availability of the CMRO module, though Oracle rates the attack complexity as high. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Oracle Complex Maintenance Repair And Overhaul Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-46933 CRITICAL Act Now

Privilege escalation and full takeover of Oracle Applications Manager (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker over HTTP to fully compromise the management product and, because of the scope change, significantly impact additional integrated products. Oracle rates the issue CVSS 9.9 with confidentiality, integrity, and availability impacts; no public exploit identified at time of analysis. Listed in the ENISA EUVD as EUVD-2026-37249 and addressed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Applications Manager Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46932 HIGH This Week

Information disclosure and partial denial of service in Oracle E-Business Suite Enterprise Asset Management (versions 12.2.3 through 12.2.15) allows a low-privileged authenticated attacker with HTTP network access to read all data accessible to the Enterprise Asset Management module and degrade its availability. Oracle rates the issue 7.1 CVSS 3.1 and describes it as easily exploitable. No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.

Authentication Bypass Denial Of Service Oracle Oracle Enterprise Asset Management
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2026-46931 HIGH This Week

Account takeover in Oracle Enterprise Asset Management (Oracle E-Business Suite 12.2.6 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Internal Operations component over HTTP. The flaw carries a CVSS 3.1 base score of 8.8 with high confidentiality, integrity, and availability impacts, and no public exploit identified at time of analysis. Because EBS instances frequently underpin manufacturing and asset-management workflows for large enterprises, successful exploitation could pivot from a foothold account into a full module takeover.

Oracle Oracle Enterprise Asset Management Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46930 CRITICAL Act Now

Remote unauthenticated compromise of Oracle In-Memory Cost Management for Discrete Industries (Oracle E-Business Suite versions 12.2.12 through 12.2.15) allows network-based attackers to read, modify, create, or delete all data accessible to the product via HTTPS. The flaw carries a CVSS 3.1 base score of 9.1 with high confidentiality and integrity impact but no availability impact, and no public exploit has been identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update advisory cspujun2026.

Authentication Bypass Oracle Oracle In Memory Cost Management For Discrete Industries
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-46929 HIGH This Week

Account takeover in Oracle Cost Management (E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Cost Planning component over HTTP. The flaw yields high confidentiality, integrity, and availability impact with no user interaction required, and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the low-complexity, network-accessible nature warrants priority patching by EBS operators.

Oracle Oracle Cost Management Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46928 HIGH This Week

Full product takeover of Oracle Spares Management (a module of Oracle E-Business Suite) is achievable by a low-privileged remote attacker over HTTPS, affecting supported versions 12.2.3 through 12.2.15. Oracle rates this 8.8 CVSS with high impact across confidentiality, integrity, and availability, and the vector indicates easy exploitation with no user interaction. There is no public exploit identified at time of analysis, and the CVE is not on CISA KEV.

Oracle Oracle Spares Management Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46927 HIGH This Week

Remote takeover of Oracle Receivables in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by unauthenticated attackers reaching the SOAP interface of the Internal Operations component. Oracle's CVSS 3.1 score of 8.1 reflects full confidentiality, integrity, and availability impact, though high attack complexity (AC:H) tempers the practical risk. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Oracle Oracle Receivables Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46926 HIGH This Week

Privilege escalation and full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible for a low-privileged attacker with logon access to the host infrastructure, via the Siebel Cloud Manager component. Successful exploitation produces a scope change that significantly impacts adjacent products beyond Siebel itself, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Oracle has issued a fix in its June 2026 Critical Patch Update.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-46925 HIGH This Week

Adjacent-network takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible via the Siebel Cloud Manager component, where an unauthenticated attacker on the same physical communication segment can fully compromise the application and pivot to other products through a scope change. The flaw carries a CVSS 3.1 base score of 8.3 with full confidentiality, integrity, and availability impact, but high attack complexity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-46922 HIGH This Week

Full compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged user over the network via HTTP, leading to takeover of the HR Intelligence module with full confidentiality, integrity, and availability impact. The flaw was reported by Oracle and disclosed in the June 2026 Critical Patch Update; there is no public exploit identified at time of analysis and the issue is not on CISA KEV. CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), reflecting easy exploitation once the high privilege precondition is met.

Oracle Oracle Hr Intelligence Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46921 HIGH This Week

Account takeover in Oracle Siebel CRM Cloud Applications versions 17.0 through 26.5 allows a low-privileged remote attacker to fully compromise the Siebel Cloud Manager component over HTTP. Oracle rates the flaw 8.8 with full CIA impact, and no public exploit identified at time of analysis, but the low attack complexity and low privilege requirement make this a high-priority patch for any internet-exposed Siebel deployment.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46920 HIGH This Week

Full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0-26.5) is possible by unauthenticated remote attackers reaching the Siebel Cloud Manager component over HTTP, though Oracle classifies exploitation as difficult (AC:H). Successful attacks yield high impact across confidentiality, integrity, and availability - effectively complete compromise of the CRM tenant. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46919 CRITICAL Act Now

Remote takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) allows unauthenticated network attackers to fully compromise the Siebel Cloud Manager component via HTTP. The flaw carries a CVSS 9.8 with low attack complexity and no privileges or user interaction required, putting confidentiality, integrity, and availability at high risk. No public exploit identified at time of analysis, but Oracle's own advisory characterizes exploitation as easy.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46918 CRITICAL Act Now

Account takeover in Oracle E-Business Suite's Process Manufacturing Product Development component (versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the module via HTTP and pivot into other Oracle products through a CVSS scope change. Oracle rates the issue 9.9/10 and describes it as easily exploitable; no public exploit identified at time of analysis and the CVE is not on the CISA KEV list.

Oracle Oracle Process Manufacturing Product Development Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46916 HIGH This Week

Account takeover of Oracle Process Manufacturing Product Development (versions 12.2.3-12.2.15) is achievable by a low-privileged remote attacker over HTTP via the Quality Management Specs component. The flaw scores CVSS 8.8 with full confidentiality, integrity, and availability impact, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Oracle Oracle Process Manufacturing Product Development Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-46915 HIGH This Week

Takeover of Oracle Complex Maintenance, Repair and Overhaul (cMRO) versions 12.2.3 through 12.2.15 is achievable by a low-privileged attacker over HTTP, with the scope changing to impact additional Oracle E-Business Suite products beyond cMRO itself. The high CVSS 3.1 score of 8.5 reflects full confidentiality, integrity, and availability impact, though high attack complexity tempers exploitability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Oracle Complex Maintenance Repair And Overhaul Authentication Bypass
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-46914 HIGH NEWS This Week

Local privilege abuse in Oracle Solaris 11.4 allows a low-privileged authenticated user with logon access to the host to read sensitive filesystem data and trigger a complete denial of service of the operating system. Oracle's June 2026 Critical Patch Update lists this as easily exploitable through the Filesystem component, with a CVSS 3.1 base score of 7.1; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Authentication Bypass Oracle Oracle Solaris Privilege Escalation
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-46913 CRITICAL Act Now

Full takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is achievable by an attacker with local logon access to the host running the Installation Security component, requiring no application credentials. The flaw carries a CVSS 3.1 base score of 9.3 with a scope change, meaning successful exploitation can pivot beyond JD Edwards into adjacent enterprise products on the same infrastructure. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Oracle ranks it as easily exploitable in the June 2026 Critical Patch Update.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-46912 CRITICAL Act Now

Unauthenticated remote compromise of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 via the Web Runtime Security component allows attackers with HTTP access to read all data the product can reach and modify a subset of it, with a scope change that propagates impact to other integrated products. Oracle rates the issue 9.3 (CVSS 3.1) and describes it as easily exploitable, and the public tagging as an authentication bypass aligns with the PR:N vector. No public exploit identified at time of analysis and no CISA KEV listing has been recorded.

Authentication Bypass Oracle Jd Edwards Enterpriseone Tools
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-46911 CRITICAL Act Now

Cross-product compromise in Oracle JD Edwards EnterpriseOne Project Costing 9.2 (Job Costing component) allows a low-privileged attacker with network access via the JDENET protocol to read, modify, or delete all data accessible to the Project Costing module and to impact additional adjacent products through a scope change. Oracle rates this 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and there is no public exploit identified at time of analysis, with the issue tracked as EUVD-2026-37230.

Authentication Bypass Oracle Jd Edwards Enterpriseone Project Costing
NVD
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-46910 CRITICAL Act Now

Unauthenticated remote compromise in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows network attackers to obtain unauthorized access to critical data and cause a complete denial of service via HTTP against the Enterprise Infrastructure Security component. Oracle rates this 9.1 (CVSS 3.1) reflecting high confidentiality and availability impact with no authentication or user interaction required, though no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Oracle Jd Edwards Enterpriseone Tools
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-46909 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers via HTTP, per Oracle's June 2026 Critical Patch Update. The flaw resides in the Enterprise Infrastructure Security component and carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but the trivial exploitation profile (AV:N/AC:L/PR:N/UI:N) against an internet-reachable ERP tier makes this a high-priority patching target.

Oracle Authentication Bypass Jd Edwards Enterpriseone Tools
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46908 CRITICAL Act Now

Takeover of Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 is possible by a low-privileged remote attacker over HTTP, with scope-changing impact on adjacent products. The CVSS 3.1 base score of 9.9 reflects full confidentiality, integrity, and availability compromise plus a scope change (S:C), and no public exploit identified at time of analysis. Oracle disclosed the issue in its June 2026 Critical Patch Update (CPU).

Oracle Jd Edwards Enterpriseone Accounts Payable Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46907 CRITICAL Act Now

Takeover of Oracle JD Edwards EnterpriseOne Order Promising 9.2 is possible by a low-privileged remote attacker through the Order Promising Integration component over HTTP. The flaw produces a CVSS 3.1 scope change, meaning successful exploitation can significantly impact other interconnected products in the JD Edwards ecosystem. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Jd Edwards Enterpriseone Order Promising Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46906 CRITICAL Act Now

Privilege escalation and scope-change attack in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows a low-privileged attacker with HTTP network access to compromise the Enterprise Infrastructure Security component and impact additional connected products. Successful exploitation yields full read access and the ability to create, modify, or delete all data accessible to JD Edwards EnterpriseOne Tools. No public exploit identified at time of analysis, and the issue was reported by Oracle as part of the June 2026 Critical Patch Update.

Authentication Bypass Oracle Jd Edwards Enterpriseone Tools
NVD
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-46905 CRITICAL Act Now

Remote unauthenticated takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible via the Web Runtime Security component over HTTP, with CVSS 9.8 indicating full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network vector make this a high-priority patching target for any organization running this ERP suite. Oracle disclosed it in the June 2026 Critical Patch Update (CPU).

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46904 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET network service, yielding full confidentiality, integrity, and availability compromise of the platform. Oracle rates the issue CVSS 9.8 and describes it as easily exploitable, though no public exploit identified at time of analysis and it is not listed in CISA KEV.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46903 HIGH This Week

Authenticated takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the Business Logic Infrastructure Security component, where a low-privileged attacker with HTTP network access can fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 8.8 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and no public exploit identified at time of analysis. The flaw is described as easily exploitable, making it a high-priority patch target for enterprises running affected Tools releases.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46902 CRITICAL Act Now

Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Oracle E-Business Suite, is possible over HTTPS with low attack complexity. The flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8) on the Core component and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the trivial exploitability profile makes this a high-priority patching target.

Oracle Oracle Enterprise Command Center Framework Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46901 CRITICAL Act Now

Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker to read, modify, or delete all framework-accessible data and partially disrupt service via HTTP. Because CVSS scope is Changed, exploitation impacts additional Oracle E-Business Suite products beyond the Framework itself, driving the 9.9 base score. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Denial Of Service Oracle Oracle Enterprise Command Center Framework
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46900 CRITICAL Act Now

Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker over HTTPS to fully compromise the product and pivot into other E-Business Suite components via a CVSS scope change. Oracle has issued a fix in its June 2026 Critical Patch Update; no public exploit identified at time of analysis and EPSS/KEV signals were not provided.

Oracle Oracle Enterprise Command Center Framework Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46899 CRITICAL Act Now

Cross-component compromise in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker to read and tamper with critical data across adjacent Oracle E-Business Suite components via HTTP. The scope-changed CVSS 3.1 score of 9.6 reflects high confidentiality and integrity impact reaching beyond the vulnerable component, though no public exploit identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update.

Authentication Bypass Oracle Oracle Enterprise Command Center Framework
NVD
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-46898 HIGH This Week

High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows unauthenticated remote attackers to gain full read/write access to all framework-accessible data after tricking a user into interacting with a malicious request. The flaw is reachable over HTTPS with low attack complexity but requires user interaction, and no public exploit identified at time of analysis. Oracle published a vendor advisory in the June 2026 Critical Patch Update.

Authentication Bypass Oracle Oracle Enterprise Command Center Framework
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46897 CRITICAL Act Now

Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker over HTTP to gain unauthorized read, modify, and delete access to all framework-accessible data, with scope change extending impact to other Oracle E-Business Suite products. The CVSS 9.9 score reflects low attack complexity, low privileges required, and the scope change that crosses security boundaries into adjacent products. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Denial Of Service Oracle Oracle Enterprise Command Center Framework
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46896 CRITICAL Act Now

Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Business Suite, allows a high-privileged authenticated attacker with HTTP network access to fully compromise the ECC component and, through a scope change, significantly impact additional integrated products. Oracle's June 2026 Critical Patch Update advisory rates this CVSS 9.1 (C:H/I:H/A:H with S:C), and no public exploit identified at time of analysis. The combined high privilege requirement and scope change make this a real lateral-movement risk inside ERP deployments rather than a perimeter RCE.

Oracle Oracle Enterprise Command Center Framework Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-46895 CRITICAL Act Now

Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievable by a low-privileged remote attacker over HTTP, with a scope change that lets the compromise impact other Oracle E-Business Suite components. The flaw carries a CVSS 3.1 base score of 9.9 (C:H/I:H/A:H, S:C). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Enterprise Command Center Framework Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46892 CRITICAL Act Now

Unauthenticated remote compromise of Oracle JD Edwards EnterpriseOne Human Resources Management 9.2 allows network attackers to read and modify all data accessible through the Human Resources component via crafted HTTP requests. Oracle rates this CVSS 9.1 with high confidentiality and integrity impact but no availability impact, and labels it 'easily exploitable.' No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Oracle Jd Edwards Enterpriseone Human Resources Management
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-46891 HIGH This Week

High-impact data tampering and disclosure in Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 allows a low-privileged attacker with HTTP network access to read, create, modify, or delete all data accessible to the Accounts Payable component. Oracle rates the flaw as easily exploitable with CVSS 8.1, and no public exploit identified at time of analysis. The bug threatens financial data integrity, making it directly relevant to SOX, audit, and fraud-control programs.

Authentication Bypass Oracle Jd Edwards Enterpriseone Accounts Payable
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46890 CRITICAL Act Now

Remote takeover of Oracle Siebel CRM's Siebel Apps - Marketing component (versions 17.0 through 26.5) is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. With a 9.8 CVSS base score and full confidentiality/integrity/availability impact, this represents a top-priority Oracle CPU finding, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46889 CRITICAL Act Now

Unauthenticated remote takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the marketing component. Oracle's CVSS 3.1 base score of 9.8 reflects trivial network exploitability with no authentication or user interaction, and no public exploit identified at time of analysis. The flaw was disclosed in Oracle's Critical Patch Update cycle and tracked in ENISA's EUVD as EUVD-2026-37381.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46888 HIGH This Week

Local privilege escalation in Oracle Siebel CRM Deployment (Database Upgrade component) versions 17.0 through 26.5 allows a low-privileged user with logon access to the host running the deployment to fully compromise the Siebel CRM Deployment instance. The flaw carries a CVSS 3.1 base score of 7.8 with high impact across confidentiality, integrity, and availability, and was disclosed in the Oracle Critical Patch Update advisory (cspujun2026). No public exploit identified at time of analysis and no EPSS or KEV signal was provided.

Oracle Siebel Crm Deployment Authentication Bypass
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-46887 CRITICAL Act Now

Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is achievable over HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle's CVSS 9.8 rating reflects easy exploitation with no authentication or user interaction required, though no public exploit is identified at time of analysis and the CVE is not currently listed in CISA KEV.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46886 HIGH This Week

Authenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) allows a low-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle rates this 8.8 CVSS 3.1 with low attack complexity and no user interaction, making it an easy-win post-authentication vulnerability against any reachable Siebel Marketing instance. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46884 CRITICAL Act Now

Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible over HTTP, requiring no privileges or user interaction. Successful exploitation yields full compromise of the Marketing component with high confidentiality, integrity, and availability impact (CVSS 9.8). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46883 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 score reflects full compromise of confidentiality, integrity, and availability via a network-reachable attack path with no user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46882 CRITICAL Act Now

Unauthenticated remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the JDENET network protocol, granting full confidentiality, integrity, and availability impact on the ERP middleware. Oracle rates this CVSS 9.8 and describes it as easily exploitable, but at the time of analysis there is no public exploit identified and no CISA KEV listing. Defenders running JD Edwards ERP workloads should treat this as a top-priority patch from the Oracle June 2026 Critical Patch Update.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46881 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible by unauthenticated network attackers reaching the JDENET communications service, with no public exploit identified at time of analysis. The flaw resides in the Enterprise Infrastructure Security component and yields full confidentiality, integrity, and availability impact (CVSS 9.8), making any internet- or partner-network-exposed JDENET listener an urgent patching priority.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46880 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication service over the network. The flaw is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46879 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) and Oracle's own 'easily exploitable' wording indicate trivial exploitation, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not yet listed in CISA KEV.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46878 CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers reaching the JDENET service. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. No EPSS or CISA KEV signal is provided, but the combination of zero prerequisites and full impact warrants priority patching of internet-exposed JDE deployments.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46877 MEDIUM This Month

The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the guest-to-host isolation boundary and gain unauthorized read access to critical data beyond the VM's intended scope. The CVSS scope change (S:C) confirms this is a hypervisor boundary violation - successful exploitation exposes host-level or cross-VM confidential data, a severe outcome in multi-tenant virtualization environments despite the moderate base score. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation.

Authentication Bypass Oracle Oracle Vm Virtualbox Privilege Escalation
NVD VulDB
CVSS 3.1
6.0
EPSS
0.2%
CVE-2026-46875 CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library component, where a high-privileged attacker with HTTPS network access can fully compromise the platform and pivot into other managed Oracle products through a scope change. No public exploit identified at time of analysis, but the CVSS 3.1 score of 9.1 reflects severe confidentiality, integrity, and availability impact across multiple downstream systems. Patched via Oracle Critical Patch Update advisory cspujun2026.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-46871 MEDIUM This Month

Unauthorized data disclosure in Oracle MySQL Shell's VS Code extension component (version 2026.2.0+9.6.1) allows a low-privileged network attacker to gain complete read access to all data accessible through MySQL Shell. The vulnerability, tagged as Authentication Bypass by ENISA intelligence (EUVD-2026-37364), exploits insufficient authorization controls within the Shell for VS Code component, granting data-tier access without requiring user interaction or elevated privileges beyond an initial low-level credential. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass Oracle Mysql Shell
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-46870 HIGH This Week

Takeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a low-privileged remote attacker can compromise the Shell with a scope-changing impact on additional products. The 8.5 CVSS score reflects full confidentiality, integrity, and availability impact, though high attack complexity tempers practical exploitability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Mysql Shell Authentication Bypass
NVD VulDB
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-46869 MEDIUM This Month

Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8.4.0-8.4.9 and 9.0.0-9.7.0. An unauthenticated network attacker can exploit this across multiple protocols, but requires a victim user to interact - likely by connecting to or loading a dump from a malicious source. The attack yields complete read access to all MySQL Shell-accessible data with no integrity or availability side effects. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Authentication Bypass Oracle Mysql Shell CSRF
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-46868 HIGH This Week

Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-privileged attacker abusing the Extensibility Framework over HTTPS, yielding complete confidentiality, integrity, and availability compromise of the management platform. Oracle disclosed the issue in the June 2026 Critical Patch Update with a CVSS 3.1 base score of 7.2, and no public exploit identified at time of analysis. Because EM Base Platform manages large fleets of Oracle databases and middleware, a successful compromise gives an attacker a high-value pivot point even though privileged access is required to trigger it.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46865 HIGH This Week

Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component) allows a high-privileged attacker with logon access to the host running EM to fully take over the platform, with scope change extending impact to additional managed Oracle products. CVSS 3.1 base score is 8.2 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The scope-changing nature makes this a notable lateral-movement primitive in Oracle estates even though prerequisites are non-trivial.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-46864 HIGH This Week

Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen component, where a low-privileged attacker with SSH network access can fully compromise confidentiality, integrity, and availability. Oracle rates this 8.8 and describes it as easily exploitable, but no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The single source is Oracle's June 2026 Critical Patch Update advisory, which is the authoritative reference for affected versions and fixes.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-46861 CRITICAL Act Now

Cross-component compromise in Oracle MySQL NDB Cluster (versions 8.0.11-8.0.46, 8.4.0-8.4.9, and 9.0.0-9.7.0) allows a low-privileged remote attacker with HTTP access to the NDB Operator component to read, modify, create, or delete all data accessible to the cluster. The scope-changed nature (S:C) means successful attacks reach beyond the NDB Cluster boundary into adjacent products. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Oracle's CVSS 9.6 rating and 'easily exploitable' characterization make this a high-priority patch.

Authentication Bypass Oracle Mysql Ndb Cluster
NVD VulDB
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-46860 CRITICAL Act Now

Remote takeover of Oracle MySQL Router 9.0.0 through 9.7.0 is possible by unauthenticated attackers reaching the Router over HTTP, per Oracle's Critical Patch Update advisory (CPU June 2026). Oracle scores this 9.8 CVSS 3.1 with full confidentiality, integrity, and availability impact, and rates exploitation as easy. No public exploit identified at time of analysis and the CVE is not present in CISA KEV, but the network-reachable, no-auth, low-complexity profile makes it a high-priority patch.

Oracle Mysql Router Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46859 CRITICAL Act Now

Remote takeover of Oracle Agile PLM 9.3.6 is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. The Security component flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Tags indicate information disclosure as a key consequence, though the vector permits complete product compromise.

Oracle Oracle Agile Plm Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46858 CRITICAL Act Now

Remote unauthenticated tampering and denial-of-service in Oracle Enterprise Manager's APM (Application Performance Management) component, specifically the JADM / JVM Diagnostics module in versions 13.5 and 24.1, allows attackers reachable over HTTP to modify, create, or delete any APM-accessible data and to hang or repeatedly crash the service. The flaw is rated CVSS 9.1 with no privileges or user interaction required, but at time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.

Oracle Apm Application Performance Management Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-46857 CRITICAL Act Now

Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network attackers to fully compromise the Oracle Management Service via HTTP. The flaw is rated CVSS 9.8 with low attack complexity and no user interaction, enabling complete takeover of the management platform. No public exploit identified at time of analysis, but the trivial exploitation profile and the platform's privileged role across managed Oracle estates make it a high-priority patching target.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
EPSS 0% CVSS 7.2
HIGH This Week

Full takeover of Oracle Public Sector Payroll (E-Business Suite 12.2.3-12.2.15) is possible by a high-privileged, network-adjacent attacker exploiting a flaw in the Internal Operations component, with confidentiality, integrity, and availability all fully impacted. Oracle's June 2026 Critical Patch Update describes the issue as easily exploitable over HTTP once privileges are held, and no public exploit identified at time of analysis. CVSS 3.1 base score is 7.2.

Oracle Oracle Public Sector Payroll Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Privileged local compromise of Oracle VM VirtualBox 7.2.8 allows an attacker already authenticated to the host with high privileges to take over the VirtualBox installation and cross the hypervisor boundary into additional products (scope-changed). Oracle's CPU advisory rates this CVSS 3.1 7.5 with high attack complexity; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Oracle Oracle Vm Virtualbox Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Outsourced Mfg for Discrete Industries (component: Internal Operations) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker to fully compromise the module over HTTP. With CVSS 3.1 base score 8.8 and high impact on confidentiality, integrity, and availability, this is a high-priority patching item, though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Oracle Oracle Outsourced Mfg For Discrete Industries Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Full takeover of Oracle Outsourced Mfg for Discrete Industries (component: Internal Operations) is achievable by a low-privileged authenticated attacker over HTTP, per Oracle's June 2026 Critical Patch Update advisory. The CVSS 3.1 base score of 8.8 reflects high impact across confidentiality, integrity, and availability with low attack complexity, though no public exploit identified at time of analysis. Affected versions span 12.2.3 through 12.2.15 of Oracle E-Business Suite.

Oracle Oracle Outsourced Mfg For Discrete Industries Authentication Bypass
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Privileged takeover of Oracle Financials for EMEA (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows an authenticated high-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the module. The CVSS 3.1 base score is 7.2 with vector AV:N/AC:L/PR:H/UI:N, and there is no public exploit identified at time of analysis.

Oracle Oracle Financials For Emea Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authorization flaw in Oracle Public Sector Financials (International) versions 12.2.3 through 12.2.15 enables low-privileged authenticated attackers with HTTP network access to fully take over the affected component. Oracle's Critical Patch Update describes the issue as easily exploitable with high impact to confidentiality, integrity, and availability (CVSS 8.8). No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Oracle Oracle Public Sector Financials International Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Takeover of Oracle Universal Work Queue is possible in Oracle E-Business Suite versions 12.2.3 through 12.2.15 via the Work Provider Site Level Administration component, where a low-privileged attacker with HTTP network access can fully compromise confidentiality, integrity, and availability of the module. Oracle classifies the issue as difficult to exploit (AC:H), and no public exploit identified at time of analysis. The flaw was disclosed in the Oracle Critical Patch Update of June 2026.

Oracle Oracle Universal Work Queue Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Universal Work Queue (Oracle E-Business Suite 12.2.3 through 12.2.15) allows a low-privileged attacker with HTTP network access to fully compromise the Work Provider Site Level Administration component. Oracle rates this as easily exploitable with full confidentiality, integrity, and availability impact (CVSS 3.1 base 8.8), though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Oracle Oracle Universal Work Queue Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation and full takeover of Oracle Universal Work Queue (component: Work Provider Site Level Administration) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker over HTTP to compromise the application with scope change extending impact to additional products. The CVSS 3.1 base score is 9.9 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis.

Oracle Oracle Universal Work Queue Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Account takeover in Oracle Universal Work Queue (Oracle E-Business Suite 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the component via HTTP, with a scope change that can significantly impact other connected products. The CVSS 3.1 base score of 9.9 reflects high confidentiality, integrity, and availability impact, and no public exploit is identified at time of analysis. Authenticated EBS users - including low-tier business users - should be treated as potential threat actors against this surface.

Oracle Oracle Universal Work Queue Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated takeover of Oracle Project Portfolio Analysis (E-Business Suite versions 12.2.3 through 12.2.15) is possible over HTTP, allowing a low-privileged attacker to fully compromise the application's confidentiality, integrity, and availability. Oracle rates this as easily exploitable with a CVSS 3.1 base score of 8.8, though no public exploit identified at time of analysis. The flaw resides in the Internal Operations component and was disclosed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Project Portfolio Analysis Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Project Portfolio Analysis (E-Business Suite component Internal Operations) versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the module over HTTP. Oracle's June 2026 Critical Patch Update rates the issue 8.8 with high confidentiality, integrity, and availability impacts, and the CVSS vector flags it as easily exploitable; no public exploit identified at time of analysis and the issue is not on CISA KEV.

Oracle Oracle Project Portfolio Analysis Authentication Bypass
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Full product takeover of Oracle Project Portfolio Analysis (E-Business Suite component Internal Operations) is possible by an authenticated high-privileged attacker over HTTP, affecting supported versions 12.2.3 through 12.2.15. The flaw yields complete confidentiality, integrity, and availability impact on the application. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Oracle Project Portfolio Analysis Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Takeover of Oracle Subledger Accounting (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows an authenticated low-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the module. Although the CVSS 3.1 base score is 7.5 with high impact across all three pillars, the AC:H rating signals non-trivial exploitation requirements, and there is no public exploit identified at time of analysis.

Oracle Oracle Subledger Accounting Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Takeover of Oracle iSupplier Portal (E-Business Suite versions 12.2.3 through 12.2.15) is achievable by a low-privileged remote attacker over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw is rated CVSS 7.5 with high confidentiality, integrity, and availability impact, but carries high attack complexity, suggesting non-trivial preconditions. There is no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Oracle Oracle Isupplier Portal Authentication Bypass
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Takeover of Oracle Property Manager (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by a high-privileged attacker with HTTP network access, with no public exploit identified at time of analysis. Oracle rates the issue easily exploitable with full confidentiality, integrity, and availability impact, but the PR:H requirement narrows the practical attacker pool to those already holding elevated EBS application privileges. The flaw is disclosed in the Oracle Critical Patch Update of June 2026 and tagged as Information Disclosure / Oracle Property Manager.

Oracle Oracle Property Manager Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in the Oracle Quality module of Oracle E-Business Suite 12.2.3 through 12.2.15 allows a low-privileged attacker with HTTP network access to fully compromise the Quality component, impacting confidentiality, integrity, and availability (CVSS 3.1 8.8). The flaw resides in the Internal Operations component and is rated easily exploitable by Oracle's own advisory, though no public exploit identified at time of analysis and the issue is not yet listed in CISA KEV.

Oracle Oracle Quality Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover of the Oracle Quality module in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the component over HTTP. Per the vendor's June 2026 Critical Patch Update advisory the issue is rated CVSS 8.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Risk is elevated for internet- or intranet-exposed EBS deployments because exploitation is rated 'easily exploitable' and only requires a valid low-privilege session.

Oracle Oracle Quality Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite component, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker with HTTP access to fully compromise the product's confidentiality, integrity, and availability. Oracle has published a fix in the June 2026 Critical Patch Update, and the CVSS 3.1 base score of 8.8 reflects an easily exploitable network-borne flaw, though no public exploit identified at time of analysis and EPSS data was not provided.

Oracle Oracle Advanced Outbound Telephony Authentication Bypass
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote unauthenticated compromise of Oracle Advanced Outbound Telephony (Oracle E-Business Suite, Internal Operations component) versions 12.2.3 through 12.2.15 allows attackers to read, create, modify, or delete all data accessible to the application via HTTP. Oracle rates the issue 9.1 (CVSS 3.1) due to network attack vector with no authentication and high confidentiality and integrity impact, though availability is unaffected. No public exploit identified at time of analysis, but the trivial exploitability and EBS exposure profile make it a priority patch.

Authentication Bypass Oracle Oracle Advanced Outbound Telephony
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the component over HTTP. The Internal Operations component is exposed to authenticated users with network reach, and successful exploitation yields high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Advanced Outbound Telephony Authentication Bypass
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Takeover of Oracle iSupport in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, with scope-changed impact extending to additional EBS components. The CVSS 3.1 base score of 9.1 reflects full confidentiality, integrity, and availability loss beyond the vulnerable component itself. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Oracle Isupport Authentication Bypass
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Privileged remote takeover of Oracle iSupport (Oracle E-Business Suite, Internal Operations component) affects versions 12.2.3 through 12.2.15, where an authenticated high-privilege attacker with HTTP access can fully compromise the application with scope change into adjacent E-Business Suite components. The CVSS 9.1 score reflects the cross-component blast radius rather than ease of access, since PR:H means the attacker must already hold elevated privileges. No public exploit identified at time of analysis and the issue is not listed on CISA KEV.

Oracle Oracle Isupport Authentication Bypass
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Full takeover of Oracle iSupport (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, with a scope change that lets the attack significantly impact additional products beyond iSupport itself. The flaw carries a CVSS 3.1 base score of 9.1 with confidentiality, integrity, and availability all rated High, and no public exploit identified at time of analysis. The vendor (Oracle) is the sole reporting source via the June 2026 Critical Patch Update advisory.

Oracle Oracle Isupport Authentication Bypass
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated data tampering and disclosure in Oracle Configure to Order (Oracle E-Business Suite) versions 12.2.3 through 12.2.15 allows a low-privileged attacker with network access via HTTP to fully read, modify, create, or delete all data accessible to the Supply to Order Workbench component. Oracle rates the issue CVSS 8.1 and describes it as easily exploitable; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Oracle Oracle Configure To Order
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Full compromise of Oracle Cost Management (component: Cost Planning) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, resulting in takeover of the module with high confidentiality, integrity, and availability impact. Oracle's Critical Patch Update for June 2026 (cspujun2026) classifies this as easily exploitable once the privilege prerequisite is met. No public exploit identified at time of analysis and no CISA KEV listing observed.

Oracle Oracle Cost Management Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Full takeover of Oracle Complex Maintenance, Repair and Overhaul (CMRO) versions 12.2.3 through 12.2.15 is possible by an authenticated low-privileged attacker over HTTP against the Internal Operations component. Successful exploitation yields high impact to confidentiality, integrity, and availability of the CMRO module, though Oracle rates the attack complexity as high. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Oracle Complex Maintenance Repair And Overhaul Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation and full takeover of Oracle Applications Manager (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker over HTTP to fully compromise the management product and, because of the scope change, significantly impact additional integrated products. Oracle rates the issue CVSS 9.9 with confidentiality, integrity, and availability impacts; no public exploit identified at time of analysis. Listed in the ENISA EUVD as EUVD-2026-37249 and addressed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Applications Manager Authentication Bypass
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Information disclosure and partial denial of service in Oracle E-Business Suite Enterprise Asset Management (versions 12.2.3 through 12.2.15) allows a low-privileged authenticated attacker with HTTP network access to read all data accessible to the Enterprise Asset Management module and degrade its availability. Oracle rates the issue 7.1 CVSS 3.1 and describes it as easily exploitable. No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.

Authentication Bypass Denial Of Service Oracle +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Enterprise Asset Management (Oracle E-Business Suite 12.2.6 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Internal Operations component over HTTP. The flaw carries a CVSS 3.1 base score of 8.8 with high confidentiality, integrity, and availability impacts, and no public exploit identified at time of analysis. Because EBS instances frequently underpin manufacturing and asset-management workflows for large enterprises, successful exploitation could pivot from a foothold account into a full module takeover.

Oracle Oracle Enterprise Asset Management Authentication Bypass
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote unauthenticated compromise of Oracle In-Memory Cost Management for Discrete Industries (Oracle E-Business Suite versions 12.2.12 through 12.2.15) allows network-based attackers to read, modify, create, or delete all data accessible to the product via HTTPS. The flaw carries a CVSS 3.1 base score of 9.1 with high confidentiality and integrity impact but no availability impact, and no public exploit has been identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update advisory cspujun2026.

Authentication Bypass Oracle Oracle In Memory Cost Management For Discrete Industries
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Cost Management (E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Cost Planning component over HTTP. The flaw yields high confidentiality, integrity, and availability impact with no user interaction required, and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the low-complexity, network-accessible nature warrants priority patching by EBS operators.

Oracle Oracle Cost Management Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Full product takeover of Oracle Spares Management (a module of Oracle E-Business Suite) is achievable by a low-privileged remote attacker over HTTPS, affecting supported versions 12.2.3 through 12.2.15. Oracle rates this 8.8 CVSS with high impact across confidentiality, integrity, and availability, and the vector indicates easy exploitation with no user interaction. There is no public exploit identified at time of analysis, and the CVE is not on CISA KEV.

Oracle Oracle Spares Management Authentication Bypass
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Remote takeover of Oracle Receivables in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by unauthenticated attackers reaching the SOAP interface of the Internal Operations component. Oracle's CVSS 3.1 score of 8.1 reflects full confidentiality, integrity, and availability impact, though high attack complexity (AC:H) tempers the practical risk. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Oracle Oracle Receivables Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation and full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible for a low-privileged attacker with logon access to the host infrastructure, via the Siebel Cloud Manager component. Successful exploitation produces a scope change that significantly impacts adjacent products beyond Siebel itself, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Oracle has issued a fix in its June 2026 Critical Patch Update.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
EPSS 0% CVSS 8.3
HIGH This Week

Adjacent-network takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible via the Siebel Cloud Manager component, where an unauthenticated attacker on the same physical communication segment can fully compromise the application and pivot to other products through a scope change. The flaw carries a CVSS 3.1 base score of 8.3 with full confidentiality, integrity, and availability impact, but high attack complexity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Full compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged user over the network via HTTP, leading to takeover of the HR Intelligence module with full confidentiality, integrity, and availability impact. The flaw was reported by Oracle and disclosed in the June 2026 Critical Patch Update; there is no public exploit identified at time of analysis and the issue is not on CISA KEV. CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), reflecting easy exploitation once the high privilege precondition is met.

Oracle Oracle Hr Intelligence Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Siebel CRM Cloud Applications versions 17.0 through 26.5 allows a low-privileged remote attacker to fully compromise the Siebel Cloud Manager component over HTTP. Oracle rates the flaw 8.8 with full CIA impact, and no public exploit identified at time of analysis, but the low attack complexity and low privilege requirement make this a high-priority patch for any internet-exposed Siebel deployment.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0-26.5) is possible by unauthenticated remote attackers reaching the Siebel Cloud Manager component over HTTP, though Oracle classifies exploitation as difficult (AC:H). Successful attacks yield high impact across confidentiality, integrity, and availability - effectively complete compromise of the CRM tenant. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) allows unauthenticated network attackers to fully compromise the Siebel Cloud Manager component via HTTP. The flaw carries a CVSS 9.8 with low attack complexity and no privileges or user interaction required, putting confidentiality, integrity, and availability at high risk. No public exploit identified at time of analysis, but Oracle's own advisory characterizes exploitation as easy.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Account takeover in Oracle E-Business Suite's Process Manufacturing Product Development component (versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the module via HTTP and pivot into other Oracle products through a CVSS scope change. Oracle rates the issue 9.9/10 and describes it as easily exploitable; no public exploit identified at time of analysis and the CVE is not on the CISA KEV list.

Oracle Oracle Process Manufacturing Product Development Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover of Oracle Process Manufacturing Product Development (versions 12.2.3-12.2.15) is achievable by a low-privileged remote attacker over HTTP via the Quality Management Specs component. The flaw scores CVSS 8.8 with full confidentiality, integrity, and availability impact, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Oracle Oracle Process Manufacturing Product Development Authentication Bypass
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Takeover of Oracle Complex Maintenance, Repair and Overhaul (cMRO) versions 12.2.3 through 12.2.15 is achievable by a low-privileged attacker over HTTP, with the scope changing to impact additional Oracle E-Business Suite products beyond cMRO itself. The high CVSS 3.1 score of 8.5 reflects full confidentiality, integrity, and availability impact, though high attack complexity tempers exploitability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Oracle Complex Maintenance Repair And Overhaul Authentication Bypass
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Local privilege abuse in Oracle Solaris 11.4 allows a low-privileged authenticated user with logon access to the host to read sensitive filesystem data and trigger a complete denial of service of the operating system. Oracle's June 2026 Critical Patch Update lists this as easily exploitable through the Filesystem component, with a CVSS 3.1 base score of 7.1; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Authentication Bypass Oracle Oracle Solaris +1
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Full takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is achievable by an attacker with local logon access to the host running the Installation Security component, requiring no application credentials. The flaw carries a CVSS 3.1 base score of 9.3 with a scope change, meaning successful exploitation can pivot beyond JD Edwards into adjacent enterprise products on the same infrastructure. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Oracle ranks it as easily exploitable in the June 2026 Critical Patch Update.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated remote compromise of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 via the Web Runtime Security component allows attackers with HTTP access to read all data the product can reach and modify a subset of it, with a scope change that propagates impact to other integrated products. Oracle rates the issue 9.3 (CVSS 3.1) and describes it as easily exploitable, and the public tagging as an authentication bypass aligns with the PR:N vector. No public exploit identified at time of analysis and no CISA KEV listing has been recorded.

Authentication Bypass Oracle Jd Edwards Enterpriseone Tools
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Cross-product compromise in Oracle JD Edwards EnterpriseOne Project Costing 9.2 (Job Costing component) allows a low-privileged attacker with network access via the JDENET protocol to read, modify, or delete all data accessible to the Project Costing module and to impact additional adjacent products through a scope change. Oracle rates this 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and there is no public exploit identified at time of analysis, with the issue tracked as EUVD-2026-37230.

Authentication Bypass Oracle Jd Edwards Enterpriseone Project Costing
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unauthenticated remote compromise in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows network attackers to obtain unauthorized access to critical data and cause a complete denial of service via HTTP against the Enterprise Infrastructure Security component. Oracle rates this 9.1 (CVSS 3.1) reflecting high confidentiality and availability impact with no authentication or user interaction required, though no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Oracle Jd Edwards Enterpriseone Tools
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers via HTTP, per Oracle's June 2026 Critical Patch Update. The flaw resides in the Enterprise Infrastructure Security component and carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but the trivial exploitation profile (AV:N/AC:L/PR:N/UI:N) against an internet-reachable ERP tier makes this a high-priority patching target.

Oracle Authentication Bypass Jd Edwards Enterpriseone Tools
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Takeover of Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 is possible by a low-privileged remote attacker over HTTP, with scope-changing impact on adjacent products. The CVSS 3.1 base score of 9.9 reflects full confidentiality, integrity, and availability compromise plus a scope change (S:C), and no public exploit identified at time of analysis. Oracle disclosed the issue in its June 2026 Critical Patch Update (CPU).

Oracle Jd Edwards Enterpriseone Accounts Payable Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Takeover of Oracle JD Edwards EnterpriseOne Order Promising 9.2 is possible by a low-privileged remote attacker through the Order Promising Integration component over HTTP. The flaw produces a CVSS 3.1 scope change, meaning successful exploitation can significantly impact other interconnected products in the JD Edwards ecosystem. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Jd Edwards Enterpriseone Order Promising Authentication Bypass
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Privilege escalation and scope-change attack in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows a low-privileged attacker with HTTP network access to compromise the Enterprise Infrastructure Security component and impact additional connected products. Successful exploitation yields full read access and the ability to create, modify, or delete all data accessible to JD Edwards EnterpriseOne Tools. No public exploit identified at time of analysis, and the issue was reported by Oracle as part of the June 2026 Critical Patch Update.

Authentication Bypass Oracle Jd Edwards Enterpriseone Tools
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible via the Web Runtime Security component over HTTP, with CVSS 9.8 indicating full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network vector make this a high-priority patching target for any organization running this ERP suite. Oracle disclosed it in the June 2026 Critical Patch Update (CPU).

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET network service, yielding full confidentiality, integrity, and availability compromise of the platform. Oracle rates the issue CVSS 9.8 and describes it as easily exploitable, though no public exploit identified at time of analysis and it is not listed in CISA KEV.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the Business Logic Infrastructure Security component, where a low-privileged attacker with HTTP network access can fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 8.8 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and no public exploit identified at time of analysis. The flaw is described as easily exploitable, making it a high-priority patch target for enterprises running affected Tools releases.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Oracle E-Business Suite, is possible over HTTPS with low attack complexity. The flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8) on the Core component and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the trivial exploitability profile makes this a high-priority patching target.

Oracle Oracle Enterprise Command Center Framework Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker to read, modify, or delete all framework-accessible data and partially disrupt service via HTTP. Because CVSS scope is Changed, exploitation impacts additional Oracle E-Business Suite products beyond the Framework itself, driving the 9.9 base score. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Denial Of Service Oracle +1
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker over HTTPS to fully compromise the product and pivot into other E-Business Suite components via a CVSS scope change. Oracle has issued a fix in its June 2026 Critical Patch Update; no public exploit identified at time of analysis and EPSS/KEV signals were not provided.

Oracle Oracle Enterprise Command Center Framework Authentication Bypass
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Cross-component compromise in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker to read and tamper with critical data across adjacent Oracle E-Business Suite components via HTTP. The scope-changed CVSS 3.1 score of 9.6 reflects high confidentiality and integrity impact reaching beyond the vulnerable component, though no public exploit identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update.

Authentication Bypass Oracle Oracle Enterprise Command Center Framework
NVD
EPSS 0% CVSS 8.1
HIGH This Week

High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows unauthenticated remote attackers to gain full read/write access to all framework-accessible data after tricking a user into interacting with a malicious request. The flaw is reachable over HTTPS with low attack complexity but requires user interaction, and no public exploit identified at time of analysis. Oracle published a vendor advisory in the June 2026 Critical Patch Update.

Authentication Bypass Oracle Oracle Enterprise Command Center Framework
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker over HTTP to gain unauthorized read, modify, and delete access to all framework-accessible data, with scope change extending impact to other Oracle E-Business Suite products. The CVSS 9.9 score reflects low attack complexity, low privileges required, and the scope change that crosses security boundaries into adjacent products. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Denial Of Service Oracle +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Business Suite, allows a high-privileged authenticated attacker with HTTP network access to fully compromise the ECC component and, through a scope change, significantly impact additional integrated products. Oracle's June 2026 Critical Patch Update advisory rates this CVSS 9.1 (C:H/I:H/A:H with S:C), and no public exploit identified at time of analysis. The combined high privilege requirement and scope change make this a real lateral-movement risk inside ERP deployments rather than a perimeter RCE.

Oracle Oracle Enterprise Command Center Framework Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievable by a low-privileged remote attacker over HTTP, with a scope change that lets the compromise impact other Oracle E-Business Suite components. The flaw carries a CVSS 3.1 base score of 9.9 (C:H/I:H/A:H, S:C). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Enterprise Command Center Framework Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unauthenticated remote compromise of Oracle JD Edwards EnterpriseOne Human Resources Management 9.2 allows network attackers to read and modify all data accessible through the Human Resources component via crafted HTTP requests. Oracle rates this CVSS 9.1 with high confidentiality and integrity impact but no availability impact, and labels it 'easily exploitable.' No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Oracle Jd Edwards Enterpriseone Human Resources Management
NVD
EPSS 0% CVSS 8.1
HIGH This Week

High-impact data tampering and disclosure in Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 allows a low-privileged attacker with HTTP network access to read, create, modify, or delete all data accessible to the Accounts Payable component. Oracle rates the flaw as easily exploitable with CVSS 8.1, and no public exploit identified at time of analysis. The bug threatens financial data integrity, making it directly relevant to SOX, audit, and fraud-control programs.

Authentication Bypass Oracle Jd Edwards Enterpriseone Accounts Payable
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle Siebel CRM's Siebel Apps - Marketing component (versions 17.0 through 26.5) is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. With a 9.8 CVSS base score and full confidentiality/integrity/availability impact, this represents a top-priority Oracle CPU finding, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the marketing component. Oracle's CVSS 3.1 base score of 9.8 reflects trivial network exploitability with no authentication or user interaction, and no public exploit identified at time of analysis. The flaw was disclosed in Oracle's Critical Patch Update cycle and tracked in ENISA's EUVD as EUVD-2026-37381.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Oracle Siebel CRM Deployment (Database Upgrade component) versions 17.0 through 26.5 allows a low-privileged user with logon access to the host running the deployment to fully compromise the Siebel CRM Deployment instance. The flaw carries a CVSS 3.1 base score of 7.8 with high impact across confidentiality, integrity, and availability, and was disclosed in the Oracle Critical Patch Update advisory (cspujun2026). No public exploit identified at time of analysis and no EPSS or KEV signal was provided.

Oracle Siebel Crm Deployment Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is achievable over HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle's CVSS 9.8 rating reflects easy exploitation with no authentication or user interaction required, though no public exploit is identified at time of analysis and the CVE is not currently listed in CISA KEV.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) allows a low-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle rates this 8.8 CVSS 3.1 with low attack complexity and no user interaction, making it an easy-win post-authentication vulnerability against any reachable Siebel Marketing instance. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible over HTTP, requiring no privileges or user interaction. Successful exploitation yields full compromise of the Marketing component with high confidentiality, integrity, and availability impact (CVSS 9.8). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Siebel Apps Marketing Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 score reflects full compromise of confidentiality, integrity, and availability via a network-reachable attack path with no user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the JDENET network protocol, granting full confidentiality, integrity, and availability impact on the ERP middleware. Oracle rates this CVSS 9.8 and describes it as easily exploitable, but at the time of analysis there is no public exploit identified and no CISA KEV listing. Defenders running JD Edwards ERP workloads should treat this as a top-priority patch from the Oracle June 2026 Critical Patch Update.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible by unauthenticated network attackers reaching the JDENET communications service, with no public exploit identified at time of analysis. The flaw resides in the Enterprise Infrastructure Security component and yields full confidentiality, integrity, and availability impact (CVSS 9.8), making any internet- or partner-network-exposed JDENET listener an urgent patching priority.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication service over the network. The flaw is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) and Oracle's own 'easily exploitable' wording indicate trivial exploitation, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not yet listed in CISA KEV.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers reaching the JDENET service. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. No EPSS or CISA KEV signal is provided, but the combination of zero prerequisites and full impact warrants priority patching of internet-exposed JDE deployments.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the guest-to-host isolation boundary and gain unauthorized read access to critical data beyond the VM's intended scope. The CVSS scope change (S:C) confirms this is a hypervisor boundary violation - successful exploitation exposes host-level or cross-VM confidential data, a severe outcome in multi-tenant virtualization environments despite the moderate base score. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation.

Authentication Bypass Oracle Oracle Vm Virtualbox +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library component, where a high-privileged attacker with HTTPS network access can fully compromise the platform and pivot into other managed Oracle products through a scope change. No public exploit identified at time of analysis, but the CVSS 3.1 score of 9.1 reflects severe confidentiality, integrity, and availability impact across multiple downstream systems. Patched via Oracle Critical Patch Update advisory cspujun2026.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized data disclosure in Oracle MySQL Shell's VS Code extension component (version 2026.2.0+9.6.1) allows a low-privileged network attacker to gain complete read access to all data accessible through MySQL Shell. The vulnerability, tagged as Authentication Bypass by ENISA intelligence (EUVD-2026-37364), exploits insufficient authorization controls within the Shell for VS Code component, granting data-tier access without requiring user interaction or elevated privileges beyond an initial low-level credential. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass Oracle Mysql Shell
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Takeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a low-privileged remote attacker can compromise the Shell with a scope-changing impact on additional products. The 8.5 CVSS score reflects full confidentiality, integrity, and availability impact, though high attack complexity tempers practical exploitability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Mysql Shell Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8.4.0-8.4.9 and 9.0.0-9.7.0. An unauthenticated network attacker can exploit this across multiple protocols, but requires a victim user to interact - likely by connecting to or loading a dump from a malicious source. The attack yields complete read access to all MySQL Shell-accessible data with no integrity or availability side effects. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Authentication Bypass Oracle Mysql Shell +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-privileged attacker abusing the Extensibility Framework over HTTPS, yielding complete confidentiality, integrity, and availability compromise of the management platform. Oracle disclosed the issue in the June 2026 Critical Patch Update with a CVSS 3.1 base score of 7.2, and no public exploit identified at time of analysis. Because EM Base Platform manages large fleets of Oracle databases and middleware, a successful compromise gives an attacker a high-value pivot point even though privileged access is required to trigger it.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component) allows a high-privileged attacker with logon access to the host running EM to fully take over the platform, with scope change extending impact to additional managed Oracle products. CVSS 3.1 base score is 8.2 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The scope-changing nature makes this a notable lateral-movement primitive in Oracle estates even though prerequisites are non-trivial.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen component, where a low-privileged attacker with SSH network access can fully compromise confidentiality, integrity, and availability. Oracle rates this 8.8 and describes it as easily exploitable, but no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The single source is Oracle's June 2026 Critical Patch Update advisory, which is the authoritative reference for affected versions and fixes.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Cross-component compromise in Oracle MySQL NDB Cluster (versions 8.0.11-8.0.46, 8.4.0-8.4.9, and 9.0.0-9.7.0) allows a low-privileged remote attacker with HTTP access to the NDB Operator component to read, modify, create, or delete all data accessible to the cluster. The scope-changed nature (S:C) means successful attacks reach beyond the NDB Cluster boundary into adjacent products. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Oracle's CVSS 9.6 rating and 'easily exploitable' characterization make this a high-priority patch.

Authentication Bypass Oracle Mysql Ndb Cluster
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle MySQL Router 9.0.0 through 9.7.0 is possible by unauthenticated attackers reaching the Router over HTTP, per Oracle's Critical Patch Update advisory (CPU June 2026). Oracle scores this 9.8 CVSS 3.1 with full confidentiality, integrity, and availability impact, and rates exploitation as easy. No public exploit identified at time of analysis and the CVE is not present in CISA KEV, but the network-reachable, no-auth, low-complexity profile makes it a high-priority patch.

Oracle Mysql Router Authentication Bypass
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle Agile PLM 9.3.6 is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. The Security component flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Tags indicate information disclosure as a key consequence, though the vector permits complete product compromise.

Oracle Oracle Agile Plm Authentication Bypass
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote unauthenticated tampering and denial-of-service in Oracle Enterprise Manager's APM (Application Performance Management) component, specifically the JADM / JVM Diagnostics module in versions 13.5 and 24.1, allows attackers reachable over HTTP to modify, create, or delete any APM-accessible data and to hang or repeatedly crash the service. The flaw is rated CVSS 9.1 with no privileges or user interaction required, but at time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.

Oracle Apm Application Performance Management Authentication Bypass
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network attackers to fully compromise the Oracle Management Service via HTTP. The flaw is rated CVSS 9.8 with low attack complexity and no user interaction, enabling complete takeover of the management platform. No public exploit identified at time of analysis, but the trivial exploitation profile and the platform's privileged role across managed Oracle estates make it a high-priority patching target.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
Prev Page 20 of 348 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy