Oracle
Monthly
Cross-product compromise in Oracle JD Edwards EnterpriseOne Project Costing 9.2 (Job Costing component) allows a low-privileged attacker with network access via the JDENET protocol to read, modify, or delete all data accessible to the Project Costing module and to impact additional adjacent products through a scope change. Oracle rates this 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and there is no public exploit identified at time of analysis, with the issue tracked as EUVD-2026-37230.
Unauthenticated remote compromise in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows network attackers to obtain unauthorized access to critical data and cause a complete denial of service via HTTP against the Enterprise Infrastructure Security component. Oracle rates this 9.1 (CVSS 3.1) reflecting high confidentiality and availability impact with no authentication or user interaction required, though no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers via HTTP, per Oracle's June 2026 Critical Patch Update. The flaw resides in the Enterprise Infrastructure Security component and carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but the trivial exploitation profile (AV:N/AC:L/PR:N/UI:N) against an internet-reachable ERP tier makes this a high-priority patching target.
Takeover of Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 is possible by a low-privileged remote attacker over HTTP, with scope-changing impact on adjacent products. The CVSS 3.1 base score of 9.9 reflects full confidentiality, integrity, and availability compromise plus a scope change (S:C), and no public exploit identified at time of analysis. Oracle disclosed the issue in its June 2026 Critical Patch Update (CPU).
Takeover of Oracle JD Edwards EnterpriseOne Order Promising 9.2 is possible by a low-privileged remote attacker through the Order Promising Integration component over HTTP. The flaw produces a CVSS 3.1 scope change, meaning successful exploitation can significantly impact other interconnected products in the JD Edwards ecosystem. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Privilege escalation and scope-change attack in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows a low-privileged attacker with HTTP network access to compromise the Enterprise Infrastructure Security component and impact additional connected products. Successful exploitation yields full read access and the ability to create, modify, or delete all data accessible to JD Edwards EnterpriseOne Tools. No public exploit identified at time of analysis, and the issue was reported by Oracle as part of the June 2026 Critical Patch Update.
Remote unauthenticated takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible via the Web Runtime Security component over HTTP, with CVSS 9.8 indicating full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network vector make this a high-priority patching target for any organization running this ERP suite. Oracle disclosed it in the June 2026 Critical Patch Update (CPU).
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET network service, yielding full confidentiality, integrity, and availability compromise of the platform. Oracle rates the issue CVSS 9.8 and describes it as easily exploitable, though no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authenticated takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the Business Logic Infrastructure Security component, where a low-privileged attacker with HTTP network access can fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 8.8 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and no public exploit identified at time of analysis. The flaw is described as easily exploitable, making it a high-priority patch target for enterprises running affected Tools releases.
Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Oracle E-Business Suite, is possible over HTTPS with low attack complexity. The flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8) on the Core component and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the trivial exploitability profile makes this a high-priority patching target.
Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker to read, modify, or delete all framework-accessible data and partially disrupt service via HTTP. Because CVSS scope is Changed, exploitation impacts additional Oracle E-Business Suite products beyond the Framework itself, driving the 9.9 base score. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker over HTTPS to fully compromise the product and pivot into other E-Business Suite components via a CVSS scope change. Oracle has issued a fix in its June 2026 Critical Patch Update; no public exploit identified at time of analysis and EPSS/KEV signals were not provided.
Cross-component compromise in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker to read and tamper with critical data across adjacent Oracle E-Business Suite components via HTTP. The scope-changed CVSS 3.1 score of 9.6 reflects high confidentiality and integrity impact reaching beyond the vulnerable component, though no public exploit identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update.
High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows unauthenticated remote attackers to gain full read/write access to all framework-accessible data after tricking a user into interacting with a malicious request. The flaw is reachable over HTTPS with low attack complexity but requires user interaction, and no public exploit identified at time of analysis. Oracle published a vendor advisory in the June 2026 Critical Patch Update.
Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker over HTTP to gain unauthorized read, modify, and delete access to all framework-accessible data, with scope change extending impact to other Oracle E-Business Suite products. The CVSS 9.9 score reflects low attack complexity, low privileges required, and the scope change that crosses security boundaries into adjacent products. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Business Suite, allows a high-privileged authenticated attacker with HTTP network access to fully compromise the ECC component and, through a scope change, significantly impact additional integrated products. Oracle's June 2026 Critical Patch Update advisory rates this CVSS 9.1 (C:H/I:H/A:H with S:C), and no public exploit identified at time of analysis. The combined high privilege requirement and scope change make this a real lateral-movement risk inside ERP deployments rather than a perimeter RCE.
Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievable by a low-privileged remote attacker over HTTP, with a scope change that lets the compromise impact other Oracle E-Business Suite components. The flaw carries a CVSS 3.1 base score of 9.9 (C:H/I:H/A:H, S:C). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Account takeover in Oracle iSupplier Portal (E-Business Suite versions 12.2.3-12.2.15) allows a low-privileged remote attacker to fully compromise the application by tricking a separate user into interacting with attacker-supplied content over HTTPS. The Home Page component is the entry point, and successful exploitation yields full confidentiality, integrity, and availability impact on the portal. No public exploit identified at time of analysis, but Oracle's critical patch advisory confirms the issue is real and patchable.
Privilege escalation and full takeover of Oracle JD Edwards EnterpriseOne General Ledger 9.2 (E1 Foundation component) is possible by a low-privileged network attacker via SMB, with scope change to other products. No public exploit identified at time of analysis, but the CVSS 9.9 score and 'easily exploitable' vendor characterization make this a high-priority patching target for ERP operators.
Unauthenticated remote compromise of Oracle JD Edwards EnterpriseOne Human Resources Management 9.2 allows network attackers to read and modify all data accessible through the Human Resources component via crafted HTTP requests. Oracle rates this CVSS 9.1 with high confidentiality and integrity impact but no availability impact, and labels it 'easily exploitable.' No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
High-impact data tampering and disclosure in Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 allows a low-privileged attacker with HTTP network access to read, create, modify, or delete all data accessible to the Accounts Payable component. Oracle rates the flaw as easily exploitable with CVSS 8.1, and no public exploit identified at time of analysis. The bug threatens financial data integrity, making it directly relevant to SOX, audit, and fraud-control programs.
Remote takeover of Oracle Siebel CRM's Siebel Apps - Marketing component (versions 17.0 through 26.5) is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. With a 9.8 CVSS base score and full confidentiality/integrity/availability impact, this represents a top-priority Oracle CPU finding, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Unauthenticated remote takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the marketing component. Oracle's CVSS 3.1 base score of 9.8 reflects trivial network exploitability with no authentication or user interaction, and no public exploit identified at time of analysis. The flaw was disclosed in Oracle's Critical Patch Update cycle and tracked in ENISA's EUVD as EUVD-2026-37381.
Local privilege escalation in Oracle Siebel CRM Deployment (Database Upgrade component) versions 17.0 through 26.5 allows a low-privileged user with logon access to the host running the deployment to fully compromise the Siebel CRM Deployment instance. The flaw carries a CVSS 3.1 base score of 7.8 with high impact across confidentiality, integrity, and availability, and was disclosed in the Oracle Critical Patch Update advisory (cspujun2026). No public exploit identified at time of analysis and no EPSS or KEV signal was provided.
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is achievable over HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle's CVSS 9.8 rating reflects easy exploitation with no authentication or user interaction required, though no public exploit is identified at time of analysis and the CVE is not currently listed in CISA KEV.
Authenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) allows a low-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle rates this 8.8 CVSS 3.1 with low attack complexity and no user interaction, making it an easy-win post-authentication vulnerability against any reachable Siebel Marketing instance. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Account takeover of the Siebel CRM Integration component (EAI) in Oracle Siebel CRM versions 17.0 through 26.5 allows a low-privileged remote attacker with HTTP network access to fully compromise the integration component, impacting confidentiality, integrity, and availability. Oracle rates this 'easily exploitable' with CVSS 3.1 score 8.8, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible over HTTP, requiring no privileges or user interaction. Successful exploitation yields full compromise of the Marketing component with high confidentiality, integrity, and availability impact (CVSS 9.8). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 score reflects full compromise of confidentiality, integrity, and availability via a network-reachable attack path with no user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the JDENET network protocol, granting full confidentiality, integrity, and availability impact on the ERP middleware. Oracle rates this CVSS 9.8 and describes it as easily exploitable, but at the time of analysis there is no public exploit identified and no CISA KEV listing. Defenders running JD Edwards ERP workloads should treat this as a top-priority patch from the Oracle June 2026 Critical Patch Update.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible by unauthenticated network attackers reaching the JDENET communications service, with no public exploit identified at time of analysis. The flaw resides in the Enterprise Infrastructure Security component and yields full confidentiality, integrity, and availability impact (CVSS 9.8), making any internet- or partner-network-exposed JDENET listener an urgent patching priority.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication service over the network. The flaw is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) and Oracle's own 'easily exploitable' wording indicate trivial exploitation, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not yet listed in CISA KEV.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers reaching the JDENET service. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. No EPSS or CISA KEV signal is provided, but the combination of zero prerequisites and full impact warrants priority patching of internet-exposed JDE deployments.
The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the guest-to-host isolation boundary and gain unauthorized read access to critical data beyond the VM's intended scope. The CVSS scope change (S:C) confirms this is a hypervisor boundary violation - successful exploitation exposes host-level or cross-VM confidential data, a severe outcome in multi-tenant virtualization environments despite the moderate base score. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation.
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library component, where a high-privileged attacker with HTTPS network access can fully compromise the platform and pivot into other managed Oracle products through a scope change. No public exploit identified at time of analysis, but the CVSS 3.1 score of 9.1 reflects severe confidentiality, integrity, and availability impact across multiple downstream systems. Patched via Oracle Critical Patch Update advisory cspujun2026.
Oracle VM VirtualBox 7.2.8 Core component exposes a local information disclosure path exploitable by a high-privileged attacker already logged on to the host infrastructure, resulting in unauthorized read access to a subset of VirtualBox-accessible data. The CVSS scope change (S:C) indicates the read impact may cross virtualization boundaries and affect additional products - such as guest VMs - beyond the VirtualBox process itself. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, placing this in a low-urgency but operationally meaningful category for multi-tenant virtualization environments.
Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged local attacker to break out of the virtualization boundary and impact additional products beyond VirtualBox itself (scope change). The flaw carries a CVSS 3.1 base score of 7.5 with full confidentiality, integrity, and availability impact, but exploitation is rated high complexity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authenticated, high-privileged attacker over HTTPS to modify or destroy critical data, read a subset of data, and trigger a complete denial of service, with scope change extending impact to additional products. Oracle rates the issue CVSS 3.1 9.0 and there is no public exploit identified at time of analysis, but the scope-change behavior and broad impact warrant prompt patching during the next Oracle CPU window.
Unauthorized data disclosure in Oracle MySQL Shell's VS Code extension component (version 2026.2.0+9.6.1) allows a low-privileged network attacker to gain complete read access to all data accessible through MySQL Shell. The vulnerability, tagged as Authentication Bypass by ENISA intelligence (EUVD-2026-37364), exploits insufficient authorization controls within the Shell for VS Code component, granting data-tier access without requiring user interaction or elevated privileges beyond an initial low-level credential. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Takeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a low-privileged remote attacker can compromise the Shell with a scope-changing impact on additional products. The 8.5 CVSS score reflects full confidentiality, integrity, and availability impact, though high attack complexity tempers practical exploitability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8.4.0-8.4.9 and 9.0.0-9.7.0. An unauthenticated network attacker can exploit this across multiple protocols, but requires a victim user to interact - likely by connecting to or loading a dump from a malicious source. The attack yields complete read access to all MySQL Shell-accessible data with no integrity or availability side effects. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.
Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-privileged attacker abusing the Extensibility Framework over HTTPS, yielding complete confidentiality, integrity, and availability compromise of the management platform. Oracle disclosed the issue in the June 2026 Critical Patch Update with a CVSS 3.1 base score of 7.2, and no public exploit identified at time of analysis. Because EM Base Platform manages large fleets of Oracle databases and middleware, a successful compromise gives an attacker a high-value pivot point even though privileged access is required to trigger it.
Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Extensibility Framework component, enabling an authenticated high-privilege attacker with HTTPS network access to fully compromise confidentiality, integrity, and availability of the management platform. The vendor (Oracle) advisory rates the issue at CVSS 3.1 7.2, and no public exploit identified at time of analysis, but successful exploitation yields complete product takeover. EPSS and CISA KEV signals are not provided in the input data.
Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated network attackers to crash or hang the management console and to perform unauthorized modifications to a subset of accessible data via the Agent Next Gen component over HTTPS. Oracle rates the issue CVSS 8.2 and notes the flaw is easily exploitable; no public exploit identified at time of analysis, and it is not listed on the CISA KEV catalog.
Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component) allows a high-privileged attacker with logon access to the host running EM to fully take over the platform, with scope change extending impact to additional managed Oracle products. CVSS 3.1 base score is 8.2 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The scope-changing nature makes this a notable lateral-movement primitive in Oracle estates even though prerequisites are non-trivial.
Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen component, where a low-privileged attacker with SSH network access can fully compromise confidentiality, integrity, and availability. Oracle rates this 8.8 and describes it as easily exploitable, but no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The single source is Oracle's June 2026 Critical Patch Update advisory, which is the authoritative reference for affected versions and fixes.
Remote unauthenticated denial-of-service in Oracle MySQL Server and MySQL Cluster (8.0.x, 8.4.x, and 9.0.0-9.7.0) allows network attackers to trigger a hang or repeatable crash of the database via the Server Connection Handling component. Oracle rates the issue as easily exploitable over multiple protocols with no authentication or user interaction, producing a complete availability loss (CVSS 7.5, A:H only). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in Oracle MySQL Router 8.4.0-8.4.9 and 9.0.0-9.7.0 allows unauthenticated remote attackers to hang or repeatedly crash the routing service over TLS-enabled network connections, producing a complete DOS of the affected component. CVSS 3.1 scores this 7.5 with availability-only impact, and no public exploit identified at time of analysis. Because MySQL Router brokers application traffic to InnoDB Cluster/ReplicaSet backends, an outage cascades into downstream application unavailability even when the database servers themselves remain healthy.
Cross-component compromise in Oracle MySQL NDB Cluster (versions 8.0.11-8.0.46, 8.4.0-8.4.9, and 9.0.0-9.7.0) allows a low-privileged remote attacker with HTTP access to the NDB Operator component to read, modify, create, or delete all data accessible to the cluster. The scope-changed nature (S:C) means successful attacks reach beyond the NDB Cluster boundary into adjacent products. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Oracle's CVSS 9.6 rating and 'easily exploitable' characterization make this a high-priority patch.
Remote takeover of Oracle MySQL Router 9.0.0 through 9.7.0 is possible by unauthenticated attackers reaching the Router over HTTP, per Oracle's Critical Patch Update advisory (CPU June 2026). Oracle scores this 9.8 CVSS 3.1 with full confidentiality, integrity, and availability impact, and rates exploitation as easy. No public exploit identified at time of analysis and the CVE is not present in CISA KEV, but the network-reachable, no-auth, low-complexity profile makes it a high-priority patch.
Remote takeover of Oracle Agile PLM 9.3.6 is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. The Security component flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Tags indicate information disclosure as a key consequence, though the vector permits complete product compromise.
Remote unauthenticated tampering and denial-of-service in Oracle Enterprise Manager's APM (Application Performance Management) component, specifically the JADM / JVM Diagnostics module in versions 13.5 and 24.1, allows attackers reachable over HTTP to modify, create, or delete any APM-accessible data and to hang or repeatedly crash the service. The flaw is rated CVSS 9.1 with no privileges or user interaction required, but at time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network attackers to fully compromise the Oracle Management Service via HTTP. The flaw is rated CVSS 9.8 with low attack complexity and no user interaction, enabling complete takeover of the management platform. No public exploit identified at time of analysis, but the trivial exploitation profile and the platform's privileged role across managed Oracle estates make it a high-priority patching target.
Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker over HTTP coerces a victim user into interacting with a crafted request targeting the Metadata Plugin component. The flaw is scope-changing and yields full confidentiality, integrity, and availability impact on the platform and potentially adjacent products. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker via HTTPS, exploiting the Metadata Plugin component. The scope-changed flaw (CVSS 9.9) lets an attacker pivot to impact additional Oracle products beyond EM itself, and no public exploit identified at time of analysis.
Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management component) allows a low-privileged attacker with HTTP network access to compromise the platform and impact other Oracle products via scope change. The flaw carries a CVSS 9.9 rating reflecting low attack complexity and broad confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because Enterprise Manager often holds privileged credentials for managed Oracle databases and middleware, successful exploitation effectively pivots the attacker into the wider Oracle estate.
Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to fully compromise the management platform - and potentially additional managed products - by tricking an authenticated user into interacting with a malicious HTTP-delivered payload targeting the Metadata Plugin component. The CVSS 3.1 base score is 9.6 with a scope change reflecting impact beyond the vulnerable component, and at time of analysis no public exploit identified at time of analysis. Because Oracle Enterprise Manager centrally controls fleets of Oracle databases, middleware, and infrastructure, successful exploitation has outsized blast-radius implications for downstream Oracle estates.
Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata Plugin component, allowing a low-privileged remote attacker over HTTPS to fully compromise the platform with a scope change that impacts additional products. The CVSS 3.1 base score of 9.9 reflects the broad confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote takeover of Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 is possible via the Security component, where an unauthenticated attacker reaching the application over HTTP can fully compromise confidentiality, integrity, and availability. Oracle scores this 8.1 with high attack complexity, indicating non-trivial preconditions rather than a trivial mass-exploit primitive. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Privilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowing a low-privileged remote attacker with HTTP network access to fully compromise the Shell with confidentiality, integrity, and availability impact. Because the CVSS vector indicates a scope change (S:C), successful exploitation propagates impact beyond the Shell itself into adjacent components the extension connects to, such as MySQL servers managed through the VS Code workflow. No public exploit identified at time of analysis, but the 9.9 base score and 'easily exploitable' wording from Oracle warrant urgent remediation.
Unauthorized data access and modification in Oracle PeopleSoft Enterprise CS Student Financials 9.2.38 allows low-privileged attackers with HTTP network access to read, create, delete, or modify all data accessible to the Student Financials module. Oracle rates this CVSS 8.1 due to high confidentiality and integrity impact with no availability effect. No public exploit identified at time of analysis, but the 'easily exploitable' vendor characterization and minimal privilege requirement make this a priority for institutions running affected campus financial systems.
Privilege escalation and data tampering in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows a low-privileged local user to compromise confidentiality and integrity of all WebLogic-accessible data when a separate user is tricked into interacting with attacker-supplied content. The scope-changed nature means impact extends beyond WebLogic to additional products in the environment. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 (Fusion Middleware, Runtime Tools component) allows a low-privileged attacker with HTTPS network access to fully compromise the portal and, due to a scope change, impact additional downstream products. Oracle rates this 9.9 critical and the issue is described as easily exploitable; no public exploit identified at time of analysis and it is not currently listed in CISA KEV. The combination of low privilege requirement, network vector, and scope change makes any authenticated WebCenter user a credible threat for full takeover.
Complete takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by unauthenticated remote attackers via crafted HTTP requests to the Security Framework component, with CVSS 10.0 reflecting a scope change that lets the compromise extend beyond WebCenter into adjacent Fusion Middleware products. No public exploit identified at time of analysis, but the combination of network attack vector, low complexity, no privileges, no user interaction, and Oracle's own 'easily exploitable' wording makes this a top-priority patching event. Vendor-released patch is available via the Oracle Critical Patch Update of June 2026 (CPUJUN2026).
Remote unauthenticated takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is possible via the Security Framework component, allowing attackers to fully compromise the portal over HTTPS without credentials or user interaction. Oracle rates this 9.8 CVSS (AV:N/AC:L/PR:N/UI:N) and describes exploitation as 'easily exploitable', though there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows an authenticated low-privileged attacker to fully compromise the Portal over HTTPS and, due to a scope change, impact additional downstream products. Oracle rates the issue CVSS 9.9 and shipped fixes in the June 2026 Critical Patch Update; no public exploit identified at time of analysis, but the 'easily exploitable' wording and broad scope make this a high-priority Oracle CPU item.
Account/portal takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker to compromise the product over HTTPS with low attack complexity, and because the scope changes the impact extends beyond WebCenter Portal itself to additional integrated Fusion Middleware components. The flaw, disclosed in Oracle's June 2026 Critical Patch Update, carries a CVSS 3.1 base score of 9.9 with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework component, where a low-privileged authenticated attacker with HTTPS access can fully compromise the platform and impact adjacent products via a scope change. The flaw carries a CVSS 3.1 score of 9.9 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Oracle disclosed this in the June 2026 Critical Patch Update advisory (cspujun2026), and exploitation is rated low complexity.
Integrity compromise in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device component allows a highly privileged local attacker to make unauthorized modifications to critical data, with scope change indicating impact extends beyond the initially targeted VM instance. The CVSS 3.1 vector (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) confirms local-only attack surface requiring high privileges, but the confirmed scope change elevates the potential blast radius to the host or adjacent VMs. No public exploit has been identified at time of analysis, and the vulnerability is patched under Oracle's Critical Security Update for June 2026.
Local information disclosure in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged guest or host attacker to read a subset of VirtualBox-accessible data across the VM isolation boundary. The scope change (S:C) in the CVSS vector indicates the vulnerability crosses the hypervisor boundary, making it relevant to multi-tenant or shared virtualization deployments despite the low base score of 3.2. No public exploit has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog; Oracle addressed it in the June 2026 Critical Patch Update.
Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local attacker already present on the virtualization host to read a subset of VirtualBox-accessible data. The scope change (S:C) in the CVSS vector is the most operationally significant element - exploitation can impact components beyond the VirtualBox process itself, potentially reaching adjacent VMs or host resources. No public exploit code and no active exploitation have been identified at time of analysis; CVSS base score of 3.2 (Low) reflects limited confidentiality impact and a high privilege bar.
Takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged remote attacker over HTTP, with a scope-changed impact reaching adjacent Oracle Fusion Middleware products (CVSS 9.9). The flaw resides in the Security Framework component and was disclosed by Oracle in its June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the low attack complexity and minimal privilege requirement make this a high-priority patching target.
Unauthenticated remote takeover of Oracle WebCenter Content (Content Server component) is possible in supported versions 12.2.1.4.0 and 14.1.2.0.0 via a network-reachable HTTP attack path. The flaw carries a CVSS 9.8 with full confidentiality, integrity, and availability impact, and Oracle describes exploitation as 'easily exploitable.' No public exploit identified at time of analysis, but the combination of unauthenticated network reach and full compromise warrants prioritized patching of any internet-exposed Content Server.
Remote exploitation of Oracle Access Manager's Authentication Engine allows unauthenticated network attackers - contingent on user interaction - to achieve limited confidentiality and integrity compromise, with scope change propagating impact to additional Fusion Middleware products. Versions 12.2.1.4.0 and 14.1.2.1.0 are confirmed affected per Oracle's June 2026 Critical Patch Update. The scope change (S:C) is particularly notable because OAM functions as an SSO gateway, meaning even limited manipulation during authentication flows can cascade to downstream applications sharing that identity fabric. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.
Unauthenticated network exploitation of Oracle Identity Manager's End User Self Service component via the IIOP protocol allows partial read and write access to identity data in versions 12.2.1.4.0 and 14.1.2.1.0. The authentication bypass tag alongside a PR:N CVSS vector confirms no credentials are required, making this accessible to any attacker who can reach the IIOP endpoint. No public exploit or active exploitation has been identified at time of analysis, but the sensitivity of identity governance data elevates the practical risk beyond the moderate CVSS score alone.
Unauthenticated remote compromise of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to read, create, modify, or delete all data accessible to the application. Oracle rates this as easily exploitable with no privileges or user interaction required (CVSS 9.1), and no public exploit identified at time of analysis. The flaw is tagged as an authentication bypass affecting the WebCenter Sites component of Oracle Fusion Middleware.
Cross-product compromise in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a low-privileged remote attacker to read and modify critical data with scope change to additional Oracle Fusion Middleware products. Exploitation requires user interaction from a separate victim and yields high confidentiality and integrity impact (CVSS 3.1 base 8.7); no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Remote unauthenticated takeover of Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the OIM Legacy UI component when reachable over T3 or IIOP protocols, per Oracle's June 2026 Critical Patch Update advisory. The flaw scores CVSS 9.8 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because Identity Manager governs enterprise identity and access provisioning, successful exploitation effectively yields a tier-zero compromise of the IAM control plane.
Cross-context compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a remote unauthenticated attacker over HTTPS to gain high-impact read access and limited write access to managed content, with effects that cross trust boundaries into additional Oracle Fusion Middleware products (scope change). Exploitation requires a victim to interact with attacker-controlled input (UI:R), and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Cross-scope compromise in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows an unauthenticated remote attacker to read, modify, or delete all WebCenter Content-accessible data when a victim is lured into interacting with attacker-supplied content over HTTP. The scope-changed (S:C) nature of the flaw means impact extends beyond WebCenter Content into adjacent products in the Fusion Middleware deployment, earning a CVSS 9.3 rating. There is no public exploit identified at time of analysis, and the issue is not on CISA KEV.
Cross-tenant data compromise in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a low-privileged authenticated attacker to coerce another user into an interaction that yields unauthorized read, create, modify, or delete access to all WebCenter Content data, with a scope change extending impact to additional Oracle Fusion Middleware products. Disclosed in Oracle's June 2026 Critical Patch Update with a CVSS 3.1 base score of 8.7; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated remote takeover of Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP via a flaw in the Security Framework component, with a scope change extending impact to additional Oracle Fusion Middleware products. The maximum CVSS 3.1 score of 10.0 reflects network-reachable exploitation with no authentication or user interaction and full confidentiality, integrity, and availability loss; no public exploit identified at time of analysis, but the trivial attack profile makes this a top-priority patch.
Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged attacker with HTTP network access to fully compromise the Security Framework component and pivot into adjacent products via a scope change. The flaw carries a CVSS 3.1 base score of 9.9 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update, but no CISA KEV listing or EPSS data was provided in the input.
Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with the vendor and CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) characterizing the flaw as easily exploitable and yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, the issue is not on the CISA KEV list, and no EPSS score was provided, but the 9.8 base score plus Oracle's 'takeover' wording make this a top-tier patching priority on the Oracle Critical Patch Update cycle.
Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with a maximum CVSS 3.1 base score of 10.0 and a scope change indicating impact beyond the WebCenter Sites boundary. Oracle's June 2026 Critical Patch Update advisory (cspujun2026) lists the issue as easily exploitable with no privileges or user interaction required. There is no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.
Remote takeover of Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to fully compromise the product via HTTP, per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects complete loss of confidentiality, integrity, and availability with no privileges or user interaction required, and no public exploit identified at time of analysis. Oracle's own advisory characterizes the flaw as 'easily exploitable,' raising the urgency for affected customers despite the lack of a published CWE classification.
Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated network attackers over HTTP, with a CVSS 3.1 base score of 10.0 reflecting a scope change that can impact adjacent products. No public exploit identified at time of analysis, but Oracle has rated the issue as easily exploitable and released a fix in the June 2026 Critical Patch Update.
Unauthenticated remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the content management platform. Oracle's June 2026 Critical Patch Update advisory rates this 9.8 CVSS and describes it as easily exploitable with no authentication or user interaction. No public exploit identified at time of analysis, but the unauthenticated network vector and high impact place this among the highest-priority items in the CPU.
Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker with HTTP network access to fully compromise the product when a victim user is tricked into interacting with attacker-supplied content. Oracle rates the flaw 8.0 (high) with confidentiality, integrity, and availability all marked High. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Cross-product compromise in Oracle JD Edwards EnterpriseOne Project Costing 9.2 (Job Costing component) allows a low-privileged attacker with network access via the JDENET protocol to read, modify, or delete all data accessible to the Project Costing module and to impact additional adjacent products through a scope change. Oracle rates this 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and there is no public exploit identified at time of analysis, with the issue tracked as EUVD-2026-37230.
Unauthenticated remote compromise in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows network attackers to obtain unauthorized access to critical data and cause a complete denial of service via HTTP against the Enterprise Infrastructure Security component. Oracle rates this 9.1 (CVSS 3.1) reflecting high confidentiality and availability impact with no authentication or user interaction required, though no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers via HTTP, per Oracle's June 2026 Critical Patch Update. The flaw resides in the Enterprise Infrastructure Security component and carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but the trivial exploitation profile (AV:N/AC:L/PR:N/UI:N) against an internet-reachable ERP tier makes this a high-priority patching target.
Takeover of Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 is possible by a low-privileged remote attacker over HTTP, with scope-changing impact on adjacent products. The CVSS 3.1 base score of 9.9 reflects full confidentiality, integrity, and availability compromise plus a scope change (S:C), and no public exploit identified at time of analysis. Oracle disclosed the issue in its June 2026 Critical Patch Update (CPU).
Takeover of Oracle JD Edwards EnterpriseOne Order Promising 9.2 is possible by a low-privileged remote attacker through the Order Promising Integration component over HTTP. The flaw produces a CVSS 3.1 scope change, meaning successful exploitation can significantly impact other interconnected products in the JD Edwards ecosystem. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Privilege escalation and scope-change attack in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows a low-privileged attacker with HTTP network access to compromise the Enterprise Infrastructure Security component and impact additional connected products. Successful exploitation yields full read access and the ability to create, modify, or delete all data accessible to JD Edwards EnterpriseOne Tools. No public exploit identified at time of analysis, and the issue was reported by Oracle as part of the June 2026 Critical Patch Update.
Remote unauthenticated takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible via the Web Runtime Security component over HTTP, with CVSS 9.8 indicating full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network vector make this a high-priority patching target for any organization running this ERP suite. Oracle disclosed it in the June 2026 Critical Patch Update (CPU).
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET network service, yielding full confidentiality, integrity, and availability compromise of the platform. Oracle rates the issue CVSS 9.8 and describes it as easily exploitable, though no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authenticated takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the Business Logic Infrastructure Security component, where a low-privileged attacker with HTTP network access can fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 8.8 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and no public exploit identified at time of analysis. The flaw is described as easily exploitable, making it a high-priority patch target for enterprises running affected Tools releases.
Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Oracle E-Business Suite, is possible over HTTPS with low attack complexity. The flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8) on the Core component and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the trivial exploitability profile makes this a high-priority patching target.
Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker to read, modify, or delete all framework-accessible data and partially disrupt service via HTTP. Because CVSS scope is Changed, exploitation impacts additional Oracle E-Business Suite products beyond the Framework itself, driving the 9.9 base score. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker over HTTPS to fully compromise the product and pivot into other E-Business Suite components via a CVSS scope change. Oracle has issued a fix in its June 2026 Critical Patch Update; no public exploit identified at time of analysis and EPSS/KEV signals were not provided.
Cross-component compromise in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker to read and tamper with critical data across adjacent Oracle E-Business Suite components via HTTP. The scope-changed CVSS 3.1 score of 9.6 reflects high confidentiality and integrity impact reaching beyond the vulnerable component, though no public exploit identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update.
High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows unauthenticated remote attackers to gain full read/write access to all framework-accessible data after tricking a user into interacting with a malicious request. The flaw is reachable over HTTPS with low attack complexity but requires user interaction, and no public exploit identified at time of analysis. Oracle published a vendor advisory in the June 2026 Critical Patch Update.
Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker over HTTP to gain unauthorized read, modify, and delete access to all framework-accessible data, with scope change extending impact to other Oracle E-Business Suite products. The CVSS 9.9 score reflects low attack complexity, low privileges required, and the scope change that crosses security boundaries into adjacent products. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Business Suite, allows a high-privileged authenticated attacker with HTTP network access to fully compromise the ECC component and, through a scope change, significantly impact additional integrated products. Oracle's June 2026 Critical Patch Update advisory rates this CVSS 9.1 (C:H/I:H/A:H with S:C), and no public exploit identified at time of analysis. The combined high privilege requirement and scope change make this a real lateral-movement risk inside ERP deployments rather than a perimeter RCE.
Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievable by a low-privileged remote attacker over HTTP, with a scope change that lets the compromise impact other Oracle E-Business Suite components. The flaw carries a CVSS 3.1 base score of 9.9 (C:H/I:H/A:H, S:C). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Account takeover in Oracle iSupplier Portal (E-Business Suite versions 12.2.3-12.2.15) allows a low-privileged remote attacker to fully compromise the application by tricking a separate user into interacting with attacker-supplied content over HTTPS. The Home Page component is the entry point, and successful exploitation yields full confidentiality, integrity, and availability impact on the portal. No public exploit identified at time of analysis, but Oracle's critical patch advisory confirms the issue is real and patchable.
Privilege escalation and full takeover of Oracle JD Edwards EnterpriseOne General Ledger 9.2 (E1 Foundation component) is possible by a low-privileged network attacker via SMB, with scope change to other products. No public exploit identified at time of analysis, but the CVSS 9.9 score and 'easily exploitable' vendor characterization make this a high-priority patching target for ERP operators.
Unauthenticated remote compromise of Oracle JD Edwards EnterpriseOne Human Resources Management 9.2 allows network attackers to read and modify all data accessible through the Human Resources component via crafted HTTP requests. Oracle rates this CVSS 9.1 with high confidentiality and integrity impact but no availability impact, and labels it 'easily exploitable.' No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
High-impact data tampering and disclosure in Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 allows a low-privileged attacker with HTTP network access to read, create, modify, or delete all data accessible to the Accounts Payable component. Oracle rates the flaw as easily exploitable with CVSS 8.1, and no public exploit identified at time of analysis. The bug threatens financial data integrity, making it directly relevant to SOX, audit, and fraud-control programs.
Remote takeover of Oracle Siebel CRM's Siebel Apps - Marketing component (versions 17.0 through 26.5) is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. With a 9.8 CVSS base score and full confidentiality/integrity/availability impact, this represents a top-priority Oracle CPU finding, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Unauthenticated remote takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the marketing component. Oracle's CVSS 3.1 base score of 9.8 reflects trivial network exploitability with no authentication or user interaction, and no public exploit identified at time of analysis. The flaw was disclosed in Oracle's Critical Patch Update cycle and tracked in ENISA's EUVD as EUVD-2026-37381.
Local privilege escalation in Oracle Siebel CRM Deployment (Database Upgrade component) versions 17.0 through 26.5 allows a low-privileged user with logon access to the host running the deployment to fully compromise the Siebel CRM Deployment instance. The flaw carries a CVSS 3.1 base score of 7.8 with high impact across confidentiality, integrity, and availability, and was disclosed in the Oracle Critical Patch Update advisory (cspujun2026). No public exploit identified at time of analysis and no EPSS or KEV signal was provided.
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is achievable over HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle's CVSS 9.8 rating reflects easy exploitation with no authentication or user interaction required, though no public exploit is identified at time of analysis and the CVE is not currently listed in CISA KEV.
Authenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) allows a low-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle rates this 8.8 CVSS 3.1 with low attack complexity and no user interaction, making it an easy-win post-authentication vulnerability against any reachable Siebel Marketing instance. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Account takeover of the Siebel CRM Integration component (EAI) in Oracle Siebel CRM versions 17.0 through 26.5 allows a low-privileged remote attacker with HTTP network access to fully compromise the integration component, impacting confidentiality, integrity, and availability. Oracle rates this 'easily exploitable' with CVSS 3.1 score 8.8, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible over HTTP, requiring no privileges or user interaction. Successful exploitation yields full compromise of the Marketing component with high confidentiality, integrity, and availability impact (CVSS 9.8). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 score reflects full compromise of confidentiality, integrity, and availability via a network-reachable attack path with no user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the JDENET network protocol, granting full confidentiality, integrity, and availability impact on the ERP middleware. Oracle rates this CVSS 9.8 and describes it as easily exploitable, but at the time of analysis there is no public exploit identified and no CISA KEV listing. Defenders running JD Edwards ERP workloads should treat this as a top-priority patch from the Oracle June 2026 Critical Patch Update.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible by unauthenticated network attackers reaching the JDENET communications service, with no public exploit identified at time of analysis. The flaw resides in the Enterprise Infrastructure Security component and yields full confidentiality, integrity, and availability impact (CVSS 9.8), making any internet- or partner-network-exposed JDENET listener an urgent patching priority.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication service over the network. The flaw is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated attackers reaching the JDENET communication channel, per Oracle's June 2026 Critical Patch Update. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) and Oracle's own 'easily exploitable' wording indicate trivial exploitation, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not yet listed in CISA KEV.
Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers reaching the JDENET service. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. No EPSS or CISA KEV signal is provided, but the combination of zero prerequisites and full impact warrants priority patching of internet-exposed JDE deployments.
The VMSVGA virtual graphics device in Oracle VM VirtualBox 7.2.8 allows a high-privileged local attacker to cross the guest-to-host isolation boundary and gain unauthorized read access to critical data beyond the VM's intended scope. The CVSS scope change (S:C) confirms this is a hypervisor boundary violation - successful exploitation exposes host-level or cross-VM confidential data, a severe outcome in multi-tenant virtualization environments despite the moderate base score. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation.
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library component, where a high-privileged attacker with HTTPS network access can fully compromise the platform and pivot into other managed Oracle products through a scope change. No public exploit identified at time of analysis, but the CVSS 3.1 score of 9.1 reflects severe confidentiality, integrity, and availability impact across multiple downstream systems. Patched via Oracle Critical Patch Update advisory cspujun2026.
Oracle VM VirtualBox 7.2.8 Core component exposes a local information disclosure path exploitable by a high-privileged attacker already logged on to the host infrastructure, resulting in unauthorized read access to a subset of VirtualBox-accessible data. The CVSS scope change (S:C) indicates the read impact may cross virtualization boundaries and affect additional products - such as guest VMs - beyond the VirtualBox process itself. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, placing this in a low-urgency but operationally meaningful category for multi-tenant virtualization environments.
Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged local attacker to break out of the virtualization boundary and impact additional products beyond VirtualBox itself (scope change). The flaw carries a CVSS 3.1 base score of 7.5 with full confidentiality, integrity, and availability impact, but exploitation is rated high complexity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authenticated, high-privileged attacker over HTTPS to modify or destroy critical data, read a subset of data, and trigger a complete denial of service, with scope change extending impact to additional products. Oracle rates the issue CVSS 3.1 9.0 and there is no public exploit identified at time of analysis, but the scope-change behavior and broad impact warrant prompt patching during the next Oracle CPU window.
Unauthorized data disclosure in Oracle MySQL Shell's VS Code extension component (version 2026.2.0+9.6.1) allows a low-privileged network attacker to gain complete read access to all data accessible through MySQL Shell. The vulnerability, tagged as Authentication Bypass by ENISA intelligence (EUVD-2026-37364), exploits insufficient authorization controls within the Shell for VS Code component, granting data-tier access without requiring user interaction or elevated privileges beyond an initial low-level credential. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Takeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a low-privileged remote attacker can compromise the Shell with a scope-changing impact on additional products. The 8.5 CVSS score reflects full confidentiality, integrity, and availability impact, though high attack complexity tempers practical exploitability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8.4.0-8.4.9 and 9.0.0-9.7.0. An unauthenticated network attacker can exploit this across multiple protocols, but requires a victim user to interact - likely by connecting to or loading a dump from a malicious source. The attack yields complete read access to all MySQL Shell-accessible data with no integrity or availability side effects. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.
Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-privileged attacker abusing the Extensibility Framework over HTTPS, yielding complete confidentiality, integrity, and availability compromise of the management platform. Oracle disclosed the issue in the June 2026 Critical Patch Update with a CVSS 3.1 base score of 7.2, and no public exploit identified at time of analysis. Because EM Base Platform manages large fleets of Oracle databases and middleware, a successful compromise gives an attacker a high-value pivot point even though privileged access is required to trigger it.
Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Extensibility Framework component, enabling an authenticated high-privilege attacker with HTTPS network access to fully compromise confidentiality, integrity, and availability of the management platform. The vendor (Oracle) advisory rates the issue at CVSS 3.1 7.2, and no public exploit identified at time of analysis, but successful exploitation yields complete product takeover. EPSS and CISA KEV signals are not provided in the input data.
Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated network attackers to crash or hang the management console and to perform unauthorized modifications to a subset of accessible data via the Agent Next Gen component over HTTPS. Oracle rates the issue CVSS 8.2 and notes the flaw is easily exploitable; no public exploit identified at time of analysis, and it is not listed on the CISA KEV catalog.
Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component) allows a high-privileged attacker with logon access to the host running EM to fully take over the platform, with scope change extending impact to additional managed Oracle products. CVSS 3.1 base score is 8.2 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The scope-changing nature makes this a notable lateral-movement primitive in Oracle estates even though prerequisites are non-trivial.
Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen component, where a low-privileged attacker with SSH network access can fully compromise confidentiality, integrity, and availability. Oracle rates this 8.8 and describes it as easily exploitable, but no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The single source is Oracle's June 2026 Critical Patch Update advisory, which is the authoritative reference for affected versions and fixes.
Remote unauthenticated denial-of-service in Oracle MySQL Server and MySQL Cluster (8.0.x, 8.4.x, and 9.0.0-9.7.0) allows network attackers to trigger a hang or repeatable crash of the database via the Server Connection Handling component. Oracle rates the issue as easily exploitable over multiple protocols with no authentication or user interaction, producing a complete availability loss (CVSS 7.5, A:H only). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in Oracle MySQL Router 8.4.0-8.4.9 and 9.0.0-9.7.0 allows unauthenticated remote attackers to hang or repeatedly crash the routing service over TLS-enabled network connections, producing a complete DOS of the affected component. CVSS 3.1 scores this 7.5 with availability-only impact, and no public exploit identified at time of analysis. Because MySQL Router brokers application traffic to InnoDB Cluster/ReplicaSet backends, an outage cascades into downstream application unavailability even when the database servers themselves remain healthy.
Cross-component compromise in Oracle MySQL NDB Cluster (versions 8.0.11-8.0.46, 8.4.0-8.4.9, and 9.0.0-9.7.0) allows a low-privileged remote attacker with HTTP access to the NDB Operator component to read, modify, create, or delete all data accessible to the cluster. The scope-changed nature (S:C) means successful attacks reach beyond the NDB Cluster boundary into adjacent products. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Oracle's CVSS 9.6 rating and 'easily exploitable' characterization make this a high-priority patch.
Remote takeover of Oracle MySQL Router 9.0.0 through 9.7.0 is possible by unauthenticated attackers reaching the Router over HTTP, per Oracle's Critical Patch Update advisory (CPU June 2026). Oracle scores this 9.8 CVSS 3.1 with full confidentiality, integrity, and availability impact, and rates exploitation as easy. No public exploit identified at time of analysis and the CVE is not present in CISA KEV, but the network-reachable, no-auth, low-complexity profile makes it a high-priority patch.
Remote takeover of Oracle Agile PLM 9.3.6 is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. The Security component flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Tags indicate information disclosure as a key consequence, though the vector permits complete product compromise.
Remote unauthenticated tampering and denial-of-service in Oracle Enterprise Manager's APM (Application Performance Management) component, specifically the JADM / JVM Diagnostics module in versions 13.5 and 24.1, allows attackers reachable over HTTP to modify, create, or delete any APM-accessible data and to hang or repeatedly crash the service. The flaw is rated CVSS 9.1 with no privileges or user interaction required, but at time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network attackers to fully compromise the Oracle Management Service via HTTP. The flaw is rated CVSS 9.8 with low attack complexity and no user interaction, enabling complete takeover of the management platform. No public exploit identified at time of analysis, but the trivial exploitation profile and the platform's privileged role across managed Oracle estates make it a high-priority patching target.
Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker over HTTP coerces a victim user into interacting with a crafted request targeting the Metadata Plugin component. The flaw is scope-changing and yields full confidentiality, integrity, and availability impact on the platform and potentially adjacent products. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker via HTTPS, exploiting the Metadata Plugin component. The scope-changed flaw (CVSS 9.9) lets an attacker pivot to impact additional Oracle products beyond EM itself, and no public exploit identified at time of analysis.
Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management component) allows a low-privileged attacker with HTTP network access to compromise the platform and impact other Oracle products via scope change. The flaw carries a CVSS 9.9 rating reflecting low attack complexity and broad confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because Enterprise Manager often holds privileged credentials for managed Oracle databases and middleware, successful exploitation effectively pivots the attacker into the wider Oracle estate.
Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to fully compromise the management platform - and potentially additional managed products - by tricking an authenticated user into interacting with a malicious HTTP-delivered payload targeting the Metadata Plugin component. The CVSS 3.1 base score is 9.6 with a scope change reflecting impact beyond the vulnerable component, and at time of analysis no public exploit identified at time of analysis. Because Oracle Enterprise Manager centrally controls fleets of Oracle databases, middleware, and infrastructure, successful exploitation has outsized blast-radius implications for downstream Oracle estates.
Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata Plugin component, allowing a low-privileged remote attacker over HTTPS to fully compromise the platform with a scope change that impacts additional products. The CVSS 3.1 base score of 9.9 reflects the broad confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote takeover of Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 is possible via the Security component, where an unauthenticated attacker reaching the application over HTTP can fully compromise confidentiality, integrity, and availability. Oracle scores this 8.1 with high attack complexity, indicating non-trivial preconditions rather than a trivial mass-exploit primitive. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Privilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowing a low-privileged remote attacker with HTTP network access to fully compromise the Shell with confidentiality, integrity, and availability impact. Because the CVSS vector indicates a scope change (S:C), successful exploitation propagates impact beyond the Shell itself into adjacent components the extension connects to, such as MySQL servers managed through the VS Code workflow. No public exploit identified at time of analysis, but the 9.9 base score and 'easily exploitable' wording from Oracle warrant urgent remediation.
Unauthorized data access and modification in Oracle PeopleSoft Enterprise CS Student Financials 9.2.38 allows low-privileged attackers with HTTP network access to read, create, delete, or modify all data accessible to the Student Financials module. Oracle rates this CVSS 8.1 due to high confidentiality and integrity impact with no availability effect. No public exploit identified at time of analysis, but the 'easily exploitable' vendor characterization and minimal privilege requirement make this a priority for institutions running affected campus financial systems.
Privilege escalation and data tampering in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows a low-privileged local user to compromise confidentiality and integrity of all WebLogic-accessible data when a separate user is tricked into interacting with attacker-supplied content. The scope-changed nature means impact extends beyond WebLogic to additional products in the environment. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 (Fusion Middleware, Runtime Tools component) allows a low-privileged attacker with HTTPS network access to fully compromise the portal and, due to a scope change, impact additional downstream products. Oracle rates this 9.9 critical and the issue is described as easily exploitable; no public exploit identified at time of analysis and it is not currently listed in CISA KEV. The combination of low privilege requirement, network vector, and scope change makes any authenticated WebCenter user a credible threat for full takeover.
Complete takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by unauthenticated remote attackers via crafted HTTP requests to the Security Framework component, with CVSS 10.0 reflecting a scope change that lets the compromise extend beyond WebCenter into adjacent Fusion Middleware products. No public exploit identified at time of analysis, but the combination of network attack vector, low complexity, no privileges, no user interaction, and Oracle's own 'easily exploitable' wording makes this a top-priority patching event. Vendor-released patch is available via the Oracle Critical Patch Update of June 2026 (CPUJUN2026).
Remote unauthenticated takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is possible via the Security Framework component, allowing attackers to fully compromise the portal over HTTPS without credentials or user interaction. Oracle rates this 9.8 CVSS (AV:N/AC:L/PR:N/UI:N) and describes exploitation as 'easily exploitable', though there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows an authenticated low-privileged attacker to fully compromise the Portal over HTTPS and, due to a scope change, impact additional downstream products. Oracle rates the issue CVSS 9.9 and shipped fixes in the June 2026 Critical Patch Update; no public exploit identified at time of analysis, but the 'easily exploitable' wording and broad scope make this a high-priority Oracle CPU item.
Account/portal takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker to compromise the product over HTTPS with low attack complexity, and because the scope changes the impact extends beyond WebCenter Portal itself to additional integrated Fusion Middleware components. The flaw, disclosed in Oracle's June 2026 Critical Patch Update, carries a CVSS 3.1 base score of 9.9 with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework component, where a low-privileged authenticated attacker with HTTPS access can fully compromise the platform and impact adjacent products via a scope change. The flaw carries a CVSS 3.1 score of 9.9 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Oracle disclosed this in the June 2026 Critical Patch Update advisory (cspujun2026), and exploitation is rated low complexity.
Integrity compromise in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device component allows a highly privileged local attacker to make unauthorized modifications to critical data, with scope change indicating impact extends beyond the initially targeted VM instance. The CVSS 3.1 vector (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) confirms local-only attack surface requiring high privileges, but the confirmed scope change elevates the potential blast radius to the host or adjacent VMs. No public exploit has been identified at time of analysis, and the vulnerability is patched under Oracle's Critical Security Update for June 2026.
Local information disclosure in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged guest or host attacker to read a subset of VirtualBox-accessible data across the VM isolation boundary. The scope change (S:C) in the CVSS vector indicates the vulnerability crosses the hypervisor boundary, making it relevant to multi-tenant or shared virtualization deployments despite the low base score of 3.2. No public exploit has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog; Oracle addressed it in the June 2026 Critical Patch Update.
Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local attacker already present on the virtualization host to read a subset of VirtualBox-accessible data. The scope change (S:C) in the CVSS vector is the most operationally significant element - exploitation can impact components beyond the VirtualBox process itself, potentially reaching adjacent VMs or host resources. No public exploit code and no active exploitation have been identified at time of analysis; CVSS base score of 3.2 (Low) reflects limited confidentiality impact and a high privilege bar.
Takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged remote attacker over HTTP, with a scope-changed impact reaching adjacent Oracle Fusion Middleware products (CVSS 9.9). The flaw resides in the Security Framework component and was disclosed by Oracle in its June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the low attack complexity and minimal privilege requirement make this a high-priority patching target.
Unauthenticated remote takeover of Oracle WebCenter Content (Content Server component) is possible in supported versions 12.2.1.4.0 and 14.1.2.0.0 via a network-reachable HTTP attack path. The flaw carries a CVSS 9.8 with full confidentiality, integrity, and availability impact, and Oracle describes exploitation as 'easily exploitable.' No public exploit identified at time of analysis, but the combination of unauthenticated network reach and full compromise warrants prioritized patching of any internet-exposed Content Server.
Remote exploitation of Oracle Access Manager's Authentication Engine allows unauthenticated network attackers - contingent on user interaction - to achieve limited confidentiality and integrity compromise, with scope change propagating impact to additional Fusion Middleware products. Versions 12.2.1.4.0 and 14.1.2.1.0 are confirmed affected per Oracle's June 2026 Critical Patch Update. The scope change (S:C) is particularly notable because OAM functions as an SSO gateway, meaning even limited manipulation during authentication flows can cascade to downstream applications sharing that identity fabric. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.
Unauthenticated network exploitation of Oracle Identity Manager's End User Self Service component via the IIOP protocol allows partial read and write access to identity data in versions 12.2.1.4.0 and 14.1.2.1.0. The authentication bypass tag alongside a PR:N CVSS vector confirms no credentials are required, making this accessible to any attacker who can reach the IIOP endpoint. No public exploit or active exploitation has been identified at time of analysis, but the sensitivity of identity governance data elevates the practical risk beyond the moderate CVSS score alone.
Unauthenticated remote compromise of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to read, create, modify, or delete all data accessible to the application. Oracle rates this as easily exploitable with no privileges or user interaction required (CVSS 9.1), and no public exploit identified at time of analysis. The flaw is tagged as an authentication bypass affecting the WebCenter Sites component of Oracle Fusion Middleware.
Cross-product compromise in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a low-privileged remote attacker to read and modify critical data with scope change to additional Oracle Fusion Middleware products. Exploitation requires user interaction from a separate victim and yields high confidentiality and integrity impact (CVSS 3.1 base 8.7); no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Remote unauthenticated takeover of Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the OIM Legacy UI component when reachable over T3 or IIOP protocols, per Oracle's June 2026 Critical Patch Update advisory. The flaw scores CVSS 9.8 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because Identity Manager governs enterprise identity and access provisioning, successful exploitation effectively yields a tier-zero compromise of the IAM control plane.
Cross-context compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a remote unauthenticated attacker over HTTPS to gain high-impact read access and limited write access to managed content, with effects that cross trust boundaries into additional Oracle Fusion Middleware products (scope change). Exploitation requires a victim to interact with attacker-controlled input (UI:R), and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Cross-scope compromise in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows an unauthenticated remote attacker to read, modify, or delete all WebCenter Content-accessible data when a victim is lured into interacting with attacker-supplied content over HTTP. The scope-changed (S:C) nature of the flaw means impact extends beyond WebCenter Content into adjacent products in the Fusion Middleware deployment, earning a CVSS 9.3 rating. There is no public exploit identified at time of analysis, and the issue is not on CISA KEV.
Cross-tenant data compromise in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a low-privileged authenticated attacker to coerce another user into an interaction that yields unauthorized read, create, modify, or delete access to all WebCenter Content data, with a scope change extending impact to additional Oracle Fusion Middleware products. Disclosed in Oracle's June 2026 Critical Patch Update with a CVSS 3.1 base score of 8.7; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated remote takeover of Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP via a flaw in the Security Framework component, with a scope change extending impact to additional Oracle Fusion Middleware products. The maximum CVSS 3.1 score of 10.0 reflects network-reachable exploitation with no authentication or user interaction and full confidentiality, integrity, and availability loss; no public exploit identified at time of analysis, but the trivial attack profile makes this a top-priority patch.
Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged attacker with HTTP network access to fully compromise the Security Framework component and pivot into adjacent products via a scope change. The flaw carries a CVSS 3.1 base score of 9.9 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update, but no CISA KEV listing or EPSS data was provided in the input.
Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with the vendor and CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) characterizing the flaw as easily exploitable and yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, the issue is not on the CISA KEV list, and no EPSS score was provided, but the 9.8 base score plus Oracle's 'takeover' wording make this a top-tier patching priority on the Oracle Critical Patch Update cycle.
Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with a maximum CVSS 3.1 base score of 10.0 and a scope change indicating impact beyond the WebCenter Sites boundary. Oracle's June 2026 Critical Patch Update advisory (cspujun2026) lists the issue as easily exploitable with no privileges or user interaction required. There is no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.
Remote takeover of Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to fully compromise the product via HTTP, per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects complete loss of confidentiality, integrity, and availability with no privileges or user interaction required, and no public exploit identified at time of analysis. Oracle's own advisory characterizes the flaw as 'easily exploitable,' raising the urgency for affected customers despite the lack of a published CWE classification.
Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated network attackers over HTTP, with a CVSS 3.1 base score of 10.0 reflecting a scope change that can impact adjacent products. No public exploit identified at time of analysis, but Oracle has rated the issue as easily exploitable and released a fix in the June 2026 Critical Patch Update.
Unauthenticated remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the content management platform. Oracle's June 2026 Critical Patch Update advisory rates this 9.8 CVSS and describes it as easily exploitable with no authentication or user interaction. No public exploit identified at time of analysis, but the unauthenticated network vector and high impact place this among the highest-priority items in the CPU.
Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker with HTTP network access to fully compromise the product when a victim user is tricked into interacting with attacker-supplied content. Oracle rates the flaw 8.0 (high) with confidentiality, integrity, and availability all marked High. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.