Oracle Application Development Framework Adf
Monthly
Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnerability in the ADF Faces component that allows a high-privileged attacker with infrastructure-level logon to bypass access controls and exfiltrate all ADF-accessible data. The CVSS vector (AV:L/AC:H/PR:H) confines exploitation to actors who already possess elevated local system access, making this a post-compromise lateral escalation risk rather than an initial entry point. No public exploit exists and this CVE is not listed in the CISA KEV catalog; however, the 'Authentication Bypass' tag suggests the flaw undermines role-based or session-level access separation within ADF Faces despite the attacker already holding high privileges.
Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 exposes all ADF-accessible data to a high-privileged local attacker who can exploit the Java Business Objects component. The vulnerability requires physical or logical access to the infrastructure host and a high-complexity attack path, substantially limiting realistic threat surface. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; Oracle addressed this issue in the June 2026 Critical Security Patch Update.
Cross-site scripting or authentication bypass in Oracle Application Development Framework (ADF) Security Framework component allows network-based unauthenticated attackers to compromise versions 12.2.1.4.0 and 14.1.2.0.0 via HTTP when a victim user interacts with a malicious payload. Successful exploitation results in unauthorized read access to a subset of ADF data and unauthorized modification of ADF-accessible data, with a confirmed scope change indicating downstream impact on additional Oracle Fusion Middleware products. No public exploit has been identified at time of analysis, and no CISA KEV listing exists.
Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0, where an attacker with high privileges and HTTP network access to the ADF Shared Components can fully compromise the product. The CVSS 3.1 base score is 7.2 with high impact to confidentiality, integrity, and availability, and Oracle classifies the issue as easily exploitable once authentication is obtained. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnerability in the ADF Faces component that allows a high-privileged attacker with infrastructure-level logon to bypass access controls and exfiltrate all ADF-accessible data. The CVSS vector (AV:L/AC:H/PR:H) confines exploitation to actors who already possess elevated local system access, making this a post-compromise lateral escalation risk rather than an initial entry point. No public exploit exists and this CVE is not listed in the CISA KEV catalog; however, the 'Authentication Bypass' tag suggests the flaw undermines role-based or session-level access separation within ADF Faces despite the attacker already holding high privileges.
Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 exposes all ADF-accessible data to a high-privileged local attacker who can exploit the Java Business Objects component. The vulnerability requires physical or logical access to the infrastructure host and a high-complexity attack path, substantially limiting realistic threat surface. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; Oracle addressed this issue in the June 2026 Critical Security Patch Update.
Cross-site scripting or authentication bypass in Oracle Application Development Framework (ADF) Security Framework component allows network-based unauthenticated attackers to compromise versions 12.2.1.4.0 and 14.1.2.0.0 via HTTP when a victim user interacts with a malicious payload. Successful exploitation results in unauthorized read access to a subset of ADF data and unauthorized modification of ADF-accessible data, with a confirmed scope change indicating downstream impact on additional Oracle Fusion Middleware products. No public exploit has been identified at time of analysis, and no CISA KEV listing exists.
Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0, where an attacker with high privileges and HTTP network access to the ADF Shared Components can fully compromise the product. The CVSS 3.1 base score is 7.2 with high impact to confidentiality, integrity, and availability, and Oracle classifies the issue as easily exploitable once authentication is obtained. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.