Skip to main content

Oracle Application Development Framework Adf

4 CVEs product

Monthly

CVE-2026-46772 MEDIUM This Month

Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnerability in the ADF Faces component that allows a high-privileged attacker with infrastructure-level logon to bypass access controls and exfiltrate all ADF-accessible data. The CVSS vector (AV:L/AC:H/PR:H) confines exploitation to actors who already possess elevated local system access, making this a post-compromise lateral escalation risk rather than an initial entry point. No public exploit exists and this CVE is not listed in the CISA KEV catalog; however, the 'Authentication Bypass' tag suggests the flaw undermines role-based or session-level access separation within ADF Faces despite the attacker already holding high privileges.

Authentication Bypass Oracle Oracle Application Development Framework Adf
NVD VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-46771 MEDIUM This Month

Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 exposes all ADF-accessible data to a high-privileged local attacker who can exploit the Java Business Objects component. The vulnerability requires physical or logical access to the infrastructure host and a high-complexity attack path, substantially limiting realistic threat surface. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; Oracle addressed this issue in the June 2026 Critical Security Patch Update.

Authentication Bypass Java Oracle Oracle Application Development Framework Adf
NVD VulDB
CVSS 3.1
4.1
EPSS
0.1%
CVE-2026-46770 MEDIUM This Month

Cross-site scripting or authentication bypass in Oracle Application Development Framework (ADF) Security Framework component allows network-based unauthenticated attackers to compromise versions 12.2.1.4.0 and 14.1.2.0.0 via HTTP when a victim user interacts with a malicious payload. Successful exploitation results in unauthorized read access to a subset of ADF data and unauthorized modification of ADF-accessible data, with a confirmed scope change indicating downstream impact on additional Oracle Fusion Middleware products. No public exploit has been identified at time of analysis, and no CISA KEV listing exists.

Authentication Bypass Oracle Oracle Application Development Framework Adf
NVD VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-46769 HIGH This Week

Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0, where an attacker with high privileges and HTTP network access to the ADF Shared Components can fully compromise the product. The CVSS 3.1 base score is 7.2 with high impact to confidentiality, integrity, and availability, and Oracle classifies the issue as easily exploitable once authentication is obtained. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Oracle Oracle Application Development Framework Adf Authentication Bypass
NVD VulDB
CVSS 3.1
7.2
EPSS
0.5%
EPSS 0% CVSS 4.7
MEDIUM This Month

Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnerability in the ADF Faces component that allows a high-privileged attacker with infrastructure-level logon to bypass access controls and exfiltrate all ADF-accessible data. The CVSS vector (AV:L/AC:H/PR:H) confines exploitation to actors who already possess elevated local system access, making this a post-compromise lateral escalation risk rather than an initial entry point. No public exploit exists and this CVE is not listed in the CISA KEV catalog; however, the 'Authentication Bypass' tag suggests the flaw undermines role-based or session-level access separation within ADF Faces despite the attacker already holding high privileges.

Authentication Bypass Oracle Oracle Application Development Framework Adf
NVD VulDB
EPSS 0% CVSS 4.1
MEDIUM This Month

Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 exposes all ADF-accessible data to a high-privileged local attacker who can exploit the Java Business Objects component. The vulnerability requires physical or logical access to the infrastructure host and a high-complexity attack path, substantially limiting realistic threat surface. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; Oracle addressed this issue in the June 2026 Critical Security Patch Update.

Authentication Bypass Java Oracle +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting or authentication bypass in Oracle Application Development Framework (ADF) Security Framework component allows network-based unauthenticated attackers to compromise versions 12.2.1.4.0 and 14.1.2.0.0 via HTTP when a victim user interacts with a malicious payload. Successful exploitation results in unauthorized read access to a subset of ADF data and unauthorized modification of ADF-accessible data, with a confirmed scope change indicating downstream impact on additional Oracle Fusion Middleware products. No public exploit has been identified at time of analysis, and no CISA KEV listing exists.

Authentication Bypass Oracle Oracle Application Development Framework Adf
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0, where an attacker with high privileges and HTTP network access to the ADF Shared Components can fully compromise the product. The CVSS 3.1 base score is 7.2 with high impact to confidentiality, integrity, and availability, and Oracle classifies the issue as easily exploitable once authentication is obtained. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Oracle Oracle Application Development Framework Adf Authentication Bypass
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy