Skip to main content

Oracle

7770 CVEs vendor

Monthly

CVE-2026-46795 CRITICAL Act Now

Cross-product compromise of Oracle WebCenter Content 14.1.2.0.0 (Fusion Middleware Content Server) allows a remote unauthenticated attacker to abuse a victim's browser session to gain high-impact read and write access to all WebCenter Content data, with scope change extending the impact to additional Oracle products. The CVSS 3.1 base score is 9.3 with a scope-changed vector requiring user interaction (UI:R), and no public exploit identified at time of analysis.

Authentication Bypass Oracle Oracle Webcenter Content
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-46794 CRITICAL Act Now

Privilege escalation to full takeover in Oracle Identity Manager Connector (Fusion Middleware) allows a low-privileged remote attacker with SSH network access to compromise the Generic Unix Connector and pivot into additional Fusion Middleware components via a CVSS scope change. Versions 12.2.1.4.0 and 14.1.2.1.0 are affected, with Oracle rating the issue 9.9 due to high confidentiality, integrity, and availability impact across product boundaries. No public exploit identified at time of analysis, but the AV:N/AC:L profile and SSH-reachable attack surface make this a high-priority Oracle CPU item.

Oracle Identity Manager Connector Privilege Escalation
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46793 CRITICAL Act Now

Takeover of Oracle Identity Manager Connector (Fusion Middleware) is achievable by a low-privileged remote attacker over HTTP, with a scope-changing impact that extends compromise to additional Oracle products. Oracle rates this 9.9 CVSS 3.1 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Affected releases are 12.2.1.4.0 and 14.1.2.1.0, with the fix delivered in Oracle's June 2026 Critical Patch Update.

Oracle Identity Manager Connector Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46792 CRITICAL Act Now

Full takeover of Oracle Identity Manager Connector (versions 12.2.1.4.0 and 14.1.2.1.0) is achievable by a low-privileged remote attacker via HTTP against the Generic Unix Connector component, with scope-changed impact reaching additional Oracle Fusion Middleware products. Oracle rates this CVSS 9.9 due to high confidentiality, integrity, and availability impact combined with low attack complexity and minimal privileges. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Identity Manager Connector Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46791 HIGH This Week

Unauthorized data disclosure in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows unauthenticated remote attackers to access all data accessible to the application via HTTP. The flaw carries a CVSS 3.1 base score of 7.5 with high confidentiality impact and no integrity or availability impact, and currently has no public exploit identified at time of analysis.

Authentication Bypass Oracle Oracle Webcenter Content
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-46790 MEDIUM This Month

Unauthorized information disclosure in Oracle WebCenter Content 14.1.2.0.0 exposes a subset of managed content to remote unauthenticated attackers via HTTP against the Content Server component. The intelligence tags classify the mechanism as an Authentication Bypass, suggesting the Content Server fails to enforce access controls on certain requests before serving content. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the zero-complexity, zero-privilege CVSS vector means any network-reachable attacker can attempt exploitation without preconditions.

Oracle Oracle Webcenter Content Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-46789 CRITICAL Act Now

Remote takeover of Oracle WebCenter Content 14.1.2.0.0 (Content Server component) is achievable by unauthenticated network attackers who can lure a victim into triggering a crafted HTTP interaction, with scope change extending impact to additional products. Oracle's June 2026 Critical Patch Update advisory (cspujun2026) assigns CVSS 9.6 reflecting full confidentiality, integrity, and availability loss, and no public exploit identified at time of analysis.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-46788 HIGH This Week

Takeover of Oracle WebCenter Content 14.1.2.0.0 is possible when a high-privileged attacker over HTTP induces a separate user to interact with crafted content, resulting in full confidentiality, integrity, and availability compromise plus impact on adjacent products via CVSS scope change. The Oracle Critical Patch Update (June 2026) lists this in the Content Server component with a CVSS 3.1 base score of 8.4. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
8.4
EPSS
0.4%
CVE-2026-46787 HIGH This Week

Cross-component compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server) allows a remote unauthenticated attacker who can lure a privileged user into interacting with attacker-controlled content to read or modify all WebCenter Content data and pivot into additional Oracle Fusion Middleware products via a scope change. The CVSS 3.1 base score of 8.0 reflects high confidentiality and integrity impact tempered by high attack complexity and required user interaction, and no public exploit identified at time of analysis.

Authentication Bypass Oracle Oracle Webcenter Content CSRF
NVD
CVSS 3.1
8.0
EPSS
0.3%
CVE-2026-46786 CRITICAL Act Now

Account takeover in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a remote unauthenticated attacker to fully compromise the product when a victim user is tricked into interacting with attacker-supplied content over HTTP. The scope-changing flaw carries a CVSS 3.1 base score of 9.6 with high confidentiality, integrity, and availability impact, and there is no public exploit identified at time of analysis. Listed in the ENISA EUVD as EUVD-2026-37304 and addressed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Webcenter Content CSRF
NVD
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-46785 CRITICAL Act Now

Cross-component compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server) allows a remote unauthenticated attacker to read, create, modify, or delete all data accessible to the product after coaxing a victim into a single interaction over HTTP. The scope-changed nature means the impact extends beyond WebCenter Content into other Fusion Middleware components sharing trust with it. No public exploit identified at time of analysis, and the issue is not in CISA KEV, but the 9.3 CVSS base score and 'easily exploitable' wording from Oracle place it in the priority-patch tier for the June 2026 CPU.

Authentication Bypass Oracle Oracle Webcenter Content CSRF
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-46784 CRITICAL Act Now

Unauthenticated remote compromise of Oracle WebCenter Content: Imaging (component: Core) in Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0 allows attackers to read and modify all data accessible to the Imaging service over HTTP. The flaw is rated CVSS 9.1 with high confidentiality and integrity impact but no availability impact, and Oracle classifies it as easily exploitable. No public exploit identified at time of analysis, and the CVE is not currently listed on CISA KEV.

Authentication Bypass Oracle Webcenter Content
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-46783 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Content: Imaging (versions 12.2.1.4.0 and 14.1.2.0.0) is possible via HTTP, per Oracle's June 2026 Critical Patch Update. With a CVSS 3.1 base score of 9.8 and AV:N/AC:L/PR:N/UI:N, the flaw in the Core component enables full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46782 CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible by a low-privileged attacker with HTTP access to the Client Bundle component, with scope change extending impact to other Oracle Fusion Middleware products. CVSS 9.9 reflects easy exploitation with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46781 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible via the RMI-based Client Bundle component, with a maximum CVSS 3.1 score of 10.0 due to a scope change that impacts additional products. Oracle's June 2026 CPU advisory is the authoritative source, and no public exploit identified at time of analysis, though the AV:N/AC:L/PR:N/UI:N profile makes weaponization plausible once technical details emerge.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-46780 HIGH This Week

Account takeover in Oracle WebCenter Content: Imaging (Fusion Middleware) allows a low-privileged authenticated attacker with HTTP network access to fully compromise the Imaging component on versions 12.2.1.4.0 and 14.1.2.0.0. Oracle rates the flaw CVSS 8.8 with high impact across confidentiality, integrity, and availability, and describes it as 'easily exploitable.' No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Oracle Authentication Bypass Webcenter Content
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-46779 CRITICAL Act Now

Takeover of Oracle WebCenter Enterprise Capture is achievable by a low-privileged remote attacker via the T3 protocol in the Client Bundle component, affecting versions 12.2.1.4.0 and 14.1.2.0.0. The flaw carries a CVSS 3.1 base score of 9.9 with a scope change, meaning successful exploitation can significantly impact additional adjacent products beyond the vulnerable component. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46778 CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible via the Client Bundle component over RMI, allowing unauthenticated network attackers to fully compromise the product and pivot into other Fusion Middleware components due to a CVSS scope change. With a maximum 10.0 CVSS score, low attack complexity, and no privileges or user interaction required, this is a top-priority issue, though no public exploit identified at time of analysis. Oracle disclosed the issue in its June 2026 Critical Patch Update.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-46777 CRITICAL Act Now

Unauthenticated remote compromise of Oracle WebCenter Content (Fusion Middleware Content Server) in versions 12.2.1.4.0 and 14.1.2.0.0 allows network-based attackers to read, create, modify, or delete any data accessible to the Content Server via HTTP. The flaw carries a CVSS 3.1 base score of 9.1 with high confidentiality and integrity impact, no authentication, and low attack complexity. No public exploit identified at time of analysis, but Oracle's tagging as an authentication-bypass class issue and the trivial exploitability profile make it a high-priority patch target.

Authentication Bypass Oracle Oracle Webcenter Content
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-46776 HIGH This Week

Unauthenticated LDAP-based compromise of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 allows remote attackers to create, delete, or modify critical directory data, read a subset of directory data, and trigger a partial denial of service. The flaw resides in the OUD Core component and was disclosed in Oracle's June 2026 Critical Patch Update with a CVSS 3.1 base score of 8.6; no public exploit identified at time of analysis and the issue is not in CISA KEV.

Denial Of Service Oracle Oracle Unified Directory Authentication Bypass
NVD
CVSS 3.1
8.6
EPSS
0.4%
CVE-2026-46774 CRITICAL Act Now

Remote takeover of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 is possible via the OUD Core component's RMI interface, allowing unauthenticated network attackers to fully compromise the LDAP directory service. Oracle rates this CVSS 9.8 with confidentiality, integrity, and availability impacts; no public exploit identified at time of analysis and it is not currently listed in CISA KEV, but the RMI attack surface and trivial complexity make it a high-priority patching target.

Oracle Oracle Unified Directory Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46773 CRITICAL Act Now

Unauthenticated LDAP-based takeover of Oracle Unified Directory affects supported versions 12.2.1.4.0 and 14.1.2.1.0 within Oracle Fusion Middleware, allowing a remote attacker with network reachability to the LDAP service to fully compromise the directory server. The flaw carries a CVSS 3.1 base score of 9.8 with high confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because directory services underpin enterprise identity, successful exploitation cascades into authentication and authorization decisions for every downstream application that relies on OUD.

Oracle Oracle Unified Directory Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46772 MEDIUM This Month

Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnerability in the ADF Faces component that allows a high-privileged attacker with infrastructure-level logon to bypass access controls and exfiltrate all ADF-accessible data. The CVSS vector (AV:L/AC:H/PR:H) confines exploitation to actors who already possess elevated local system access, making this a post-compromise lateral escalation risk rather than an initial entry point. No public exploit exists and this CVE is not listed in the CISA KEV catalog; however, the 'Authentication Bypass' tag suggests the flaw undermines role-based or session-level access separation within ADF Faces despite the attacker already holding high privileges.

Authentication Bypass Oracle Oracle Application Development Framework Adf
NVD VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-46771 MEDIUM This Month

Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 exposes all ADF-accessible data to a high-privileged local attacker who can exploit the Java Business Objects component. The vulnerability requires physical or logical access to the infrastructure host and a high-complexity attack path, substantially limiting realistic threat surface. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; Oracle addressed this issue in the June 2026 Critical Security Patch Update.

Authentication Bypass Java Oracle Oracle Application Development Framework Adf
NVD VulDB
CVSS 3.1
4.1
EPSS
0.1%
CVE-2026-46770 MEDIUM This Month

Cross-site scripting or authentication bypass in Oracle Application Development Framework (ADF) Security Framework component allows network-based unauthenticated attackers to compromise versions 12.2.1.4.0 and 14.1.2.0.0 via HTTP when a victim user interacts with a malicious payload. Successful exploitation results in unauthorized read access to a subset of ADF data and unauthorized modification of ADF-accessible data, with a confirmed scope change indicating downstream impact on additional Oracle Fusion Middleware products. No public exploit has been identified at time of analysis, and no CISA KEV listing exists.

Authentication Bypass Oracle Oracle Application Development Framework Adf
NVD VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-46769 HIGH This Week

Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0, where an attacker with high privileges and HTTP network access to the ADF Shared Components can fully compromise the product. The CVSS 3.1 base score is 7.2 with high impact to confidentiality, integrity, and availability, and Oracle classifies the issue as easily exploitable once authentication is obtained. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Oracle Oracle Application Development Framework Adf Authentication Bypass
NVD VulDB
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46768 MEDIUM This Month

Denial-of-service in Oracle VM VirtualBox 7.2.8 affects the VMSVGA virtual graphics device emulation layer, allowing a highly privileged local attacker to cause a persistent hang or fully repeatable crash of the hypervisor process. The CVSS Scope:Changed metric signals that the DoS impact propagates beyond the attacker's own guest VM, potentially destabilizing the host process and all co-resident VMs - a meaningful concern in multi-tenant and VDI environments. No public exploit code exists and no CISA KEV listing is present at time of analysis; exploitation is bounded by the requirement for high-privileged local access to the infrastructure.

Oracle Oracle Vm Virtualbox Authentication Bypass
NVD VulDB
CVSS 3.1
6.0
EPSS
0.2%
CVE-2026-46767 CRITICAL Act Now

Privilege escalation to full takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker with HTTP network access to compromise the Composer component and, due to a CVSS scope change, impact additional downstream products. The flaw carries a CVSS 3.1 base score of 9.9 and is marked easily exploitable by Oracle, though no public exploit identified at time of analysis. EPSS data and CISA KEV status are not provided in the available intelligence.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46766 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP requests to the Content Server component, per Oracle's June 2026 CPU advisory. The CVSS 9.8 score reflects full confidentiality, integrity, and availability impact with no authentication required. Status is no public exploit identified at time of analysis, but trivial exploitability against an internet-facing enterprise content platform makes this a priority patching candidate.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46765 CRITICAL Act Now

Privilege escalation and full takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged remote attacker through the Composer component, with a scope change that lets the impact reach additional products in the Fusion Middleware stack. Oracle rates the flaw 9.9 CVSS due to the combination of low attack complexity, low privilege requirement, and full CIA impact, and no public exploit has been identified at time of analysis.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35327 HIGH This Week

Cross-tenant data exposure in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker to compromise the Content Server component via HTTPS when a victim is tricked into interacting with attacker-supplied content. The flaw produces a scope change, meaning successful exploitation can reach beyond WebCenter Content itself, yielding high confidentiality loss and limited integrity modifications. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Oracle Oracle Webcenter Content
NVD
CVSS 3.1
7.6
EPSS
0.3%
CVE-2026-35326 HIGH This Week

Full takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible when a high-privileged attacker reaches the Content Server over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw yields complete confidentiality, integrity, and availability compromise (CVSS 7.2) but requires existing elevated privileges, and no public exploit identified at time of analysis. Exploitation is rated easy once the privilege bar is met, making this a priority for environments where many users hold administrative roles in Content Server.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-35325 HIGH This Week

Privilege escalation to full product takeover in Oracle WebCenter Content (Content Server component) versions 12.2.1.4.0 and 14.1.2.0.0 allows low-privileged attackers with HTTP network access to fully compromise the system. The CVSS 3.1 base score of 8.8 reflects high impact across confidentiality, integrity, and availability with low attack complexity. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35324 HIGH This Week

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 (Content Server component) allows a low-privileged authenticated attacker with HTTP network access to fully compromise the product, impacting confidentiality, integrity, and availability. Oracle rates this 8.8 (CVSS 3.1) and describes it as 'easily exploitable.' No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35323 CRITICAL Act Now

Takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible by a low-privileged attacker sending HTTP requests to the Content Server component, with a scope change that can significantly impact additional products. Oracle rates this 9.9 CVSS and describes it as easily exploitable, and no public exploit identified at time of analysis. Reported in the Oracle Critical Patch Update for June 2026, the flaw enables full compromise of the WebCenter Content instance and any in-scope downstream systems.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35322 HIGH This Week

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker to fully compromise the Content Server over HTTP. Oracle's June 2026 Critical Patch Update rates this 8.8 with complete confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis.

Oracle Oracle Webcenter Content Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35321 CRITICAL Act Now

Takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged remote attacker over HTTP, with scope change enabling impact on adjacent products in the Fusion Middleware stack. The flaw carries a CVSS 3.1 base score of 9.9 and is described by Oracle as easily exploitable, though no public exploit identified at time of analysis. Authenticated access to the Content Server is the only meaningful barrier, making this a high-priority patch item for enterprises using WebCenter Content for document management.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35320 CRITICAL Act Now

Remote takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible through the Content Server component, allowing an unauthenticated network attacker to fully compromise the product with cascading impact to other Oracle Fusion Middleware components due to a scope change. Oracle assigned a CVSS 3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), and no public exploit identified at time of analysis. The high attack complexity tempers the otherwise critical rating, but a successful exploit yields complete takeover.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.0
EPSS
0.4%
CVE-2026-35319 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible via the Content Server component over HTTP, scored CVSS 9.8 by Oracle. No public exploit identified at time of analysis, but the low attack complexity and lack of authentication requirement make this a high-priority patch target for any Oracle Fusion Middleware environment exposing WebCenter Content.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35318 HIGH This Week

Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker with HTTP access to fully compromise the product. The flaw is rated CVSS 8.8 with high impact across confidentiality, integrity, and availability, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35317 HIGH POC This Week

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged attacker with HTTP network access to fully compromise the Content Server component. Oracle rates the flaw 8.8 with high impact across confidentiality, integrity and availability, and characterizes it as easily exploitable. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the vendor's 'takeover' wording and low complexity make this a priority patch.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35316 CRITICAL Act Now

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 (Content Server component) allows a low-privileged remote attacker to compromise the application over HTTP and pivot to other products via a scope change. The CVSS 3.1 base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting easy exploitation with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35315 HIGH This Week

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 (Content Server component) lets a low-privileged remote attacker fully compromise the platform over HTTP without user interaction. Oracle's own CVSS 3.1 score of 8.8 reflects high impact across confidentiality, integrity, and availability, and there is no public exploit identified at time of analysis. Disclosed via the Oracle Critical Security Patch Update advisory (cspujun2026), making this a vendor-confirmed flaw rather than third-party speculation.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35314 HIGH This Week

Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plugin component over HTTP, allowing attackers to alter or read subsets of OAM data and trigger partial denial of service. The flaw carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N) and is rated easily exploitable by Oracle. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Denial Of Service Oracle Oracle Access Manager Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.3%
CVE-2026-35313 CRITICAL Act Now

Privilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the identity broker via the Authentication Engine component, with a CVSS 9.9 score reflecting a scope-changing impact on downstream protected applications. No public exploit identified at time of analysis, but Oracle's June 2026 Critical Patch Update flags it as easily exploitable over HTTP, making it a high-priority patch for any environment using OAM for SSO/federation.

Oracle Oracle Access Manager Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35312 CRITICAL Act Now

Remote unauthenticated takeover of Oracle Virtual Directory 12.2.1.4.0 and 14.1.2.0.0 is possible via crafted LDAP traffic, yielding full confidentiality, integrity, and availability impact (CVSS 9.8). The flaw lives in the Virtual Directory Server component of Oracle Fusion Middleware and is described by Oracle as easily exploitable over the network with no authentication or user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Virtual Directory Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35311 HIGH This Week

Authenticated remote code execution in Oracle WebLogic Server 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged attacker with HTTP access to fully take over the server, per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 8.8 reflects full confidentiality, integrity, and availability impact with low attack complexity. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35310 CRITICAL Act Now

Remote takeover of Oracle Coherence (Fusion Middleware component) is possible by unauthenticated network attackers reaching the HTTP interface, per Oracle's June 2026 Critical Patch Update. Affected versions span 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0, with a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network reach make this a top-priority patch for any exposed Coherence cluster.

Oracle Oracle Coherence Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35309 CRITICAL Act Now

Remote takeover of Oracle Coherence is possible by unauthenticated attackers with HTTP network access to affected Fusion Middleware deployments running versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0. The flaw resides in the Centralized Third Party Jars component and carries a critical 9.8 CVSS score with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the trivial attack profile and Oracle's CPU disclosure pattern make weaponization likely.

Oracle Oracle Coherence Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35308 CRITICAL Act Now

Remote takeover of Oracle Coherence (Fusion Middleware) via the Centralized Third Party Jars component allows an unauthenticated network attacker over HTTP to fully compromise affected deployments, with scope change permitting impact on additional connected products. Supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 carry a maximum CVSS 3.1 base score of 10.0 across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Coherence Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-35307 CRITICAL Act Now

Remote takeover of Oracle Coherence is possible via HTTP by an unauthenticated network attacker, affecting Oracle Fusion Middleware versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries the maximum CVSS 3.1 base score of 10.0 with scope change, meaning successful exploitation can pivot impact into other products that rely on the Coherence cluster. No public exploit identified at time of analysis, but the trivial attack complexity and Oracle's critical scoring make this a top-priority patch item.

Oracle Oracle Coherence Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-35306 CRITICAL Act Now

Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware, Centralized Third Party Jars component) allows network-based attackers to read all Coherence-accessible data and perform limited data modification over HTTP, with a scope change that can impact additional products in the same deployment. Oracle rates the issue CVSS 9.3 and describes it as easily exploitable; no public exploit identified at time of analysis and it is not currently on the CISA KEV list.

Authentication Bypass Oracle Oracle Coherence
NVD VulDB
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-35305 CRITICAL Act Now

Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware) via HTTP allows attackers to read all accessible data and modify a subset, with a scope change that can impact adjacent products. CVSS 3.1 base score is 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) and no public exploit is identified at time of analysis, though the low attack complexity and unauthenticated network reachability make this a high-priority Critical Patch Update item.

Authentication Bypass Oracle Oracle Coherence
NVD VulDB
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-35304 CRITICAL Act Now

Remote unauthenticated takeover of Oracle Coherence (Oracle Fusion Middleware) is possible over HTTPS, affecting supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and at the time of analysis no public exploit identified at time of analysis.

Oracle Oracle Coherence Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35303 HIGH This Week

Authenticated remote takeover in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 via the Console component allows a low-privileged attacker with HTTP network access to fully compromise the server. Oracle rates the flaw CVSS 8.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The advisory was published in Oracle's June 2026 Critical Patch Update, making this a priority patching item for enterprise middleware operators.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35302 HIGH This Week

Server takeover in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 (Console component) allows a remote unauthenticated attacker who can lure an authenticated user into interacting with a crafted HTTP request to fully compromise the server with a scope change to other products. CVSS 8.3 reflects high impact tempered by high attack complexity and required user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Weblogic Server Open Redirect
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-35301 CRITICAL Act Now

Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an unauthenticated network attacker to fully compromise the server with a scope change that impacts adjacent products. The CVSS 3.1 base score of 10.0 reflects the worst-case combination of network reachability, low complexity, no privileges, and full CIA impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-35300 CRITICAL Act Now

Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by unauthenticated attackers with TCP network access to the Core component. Oracle rates this 9.8 with full confidentiality, integrity, and availability impact, and characterizes it as 'easily exploitable,' though no public exploit identified at time of analysis. The flaw is disclosed via the Oracle Critical Patch Update for June 2026 and currently shows no CISA KEV listing or EPSS data.

Oracle Weblogic Server Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35299 HIGH This Week

Authenticated takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is achievable through the administrative Console component, where a low-privileged HTTP-authenticated attacker can fully compromise confidentiality, integrity, and availability of the server. Oracle reports the issue as easily exploitable and rates it CVSS 8.8, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV. The flaw poses a significant risk to enterprise Java EE deployments where the WebLogic Console is reachable by any authenticated user.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35298 CRITICAL Act Now

Authenticated takeover of Oracle WebLogic Server (Fusion Middleware Core component) is possible by a high-privileged attacker over HTTP, with a scope change that can impact additional products beyond WebLogic itself. Affected versions are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0, with a CVSS 3.1 base score of 9.1. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-35296 CRITICAL Act Now

Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated attackers over HTTP, with full compromise of confidentiality, integrity, and availability per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects network-reachable, low-complexity exploitation with no user interaction, placing this among the most severe Fusion Middleware issues in the cycle. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35295 HIGH This Week

Takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible when a low-privileged attacker with HTTP network access successfully chains a high-complexity exploit path in the WebCenter Sites component, resulting in full confidentiality, integrity, and availability compromise. Oracle's June 2026 Critical Patch Update disclosure rates this CVSS 7.5 with AC:H/PR:L, meaning a valid (even low-tier) account plus non-trivial conditions are required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-35294 CRITICAL Act Now

Account takeover in Oracle Identity Manager Connector (Fusion Middleware, Mainframe Connectors component) versions 12.2.1.4.0 and 14.1.2.1.0 allows an authenticated low-privileged attacker to fully compromise the connector over HTTP and pivot to other products via a CVSS scope change. The flaw carries a 9.9 CVSS 3.1 score with high confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, and CISA KEV does not list it.

Information Disclosure Oracle Identity Manager Connector
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35293 CRITICAL Act Now

Remote code execution and full product takeover affects Oracle WebCenter Sites 14.1.2.0.0 within Oracle Fusion Middleware, enabling unauthenticated attackers to compromise the platform over HTTP. Oracle's June 2026 Critical Patch Update rates this 9.8 (CVSS 3.1) with confidentiality, integrity, and availability all marked High, and Oracle describes it as easily exploitable. No public exploit identified at time of analysis, and CWE classification is not provided in the supplied data.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35292 CRITICAL Act Now

Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network attackers to fully compromise the server over HTTP with no user interaction, earning the maximum CVSS 10.0 due to a scope change that can impact adjacent products. Oracle's June 2026 Critical Patch Update is the sole intelligence source; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-35291 MEDIUM This Month

Full server takeover is possible in Oracle WebLogic Server's Console component, affecting versions 14.1.2.0.0 and 15.1.1.0.0 via HTTP over a network. Exploitation requires a high-privileged attacker and high attack complexity, limiting the realistic threat surface to scenarios where administrative credentials are already compromised or an insider threat is present. No public exploit code and no CISA KEV listing have been identified at the time of analysis; this was disclosed as part of Oracle's Critical Patch Update (CPU) for June 2026.

Oracle Weblogic Server Privilege Escalation
NVD VulDB
CVSS 3.1
6.6
EPSS
0.4%
CVE-2026-35289 HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, allowing an unauthenticated network attacker to fully compromise confidentiality, integrity, and availability of the application. Oracle rates this as difficult to exploit (AC:H) but assigns a CVSS 3.1 score of 8.1 due to the complete takeover impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-35288 HIGH This Week

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package component) allows a high-privileged attacker with logon access to the underlying infrastructure to fully compromise PeopleTools with a scope change that impacts additional products. Oracle rates this CVSS 8.2 and confirms it is easily exploitable once the attacker has the required local privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-35286 CRITICAL Act Now

Remote takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to fully compromise the Content Server component via HTTP, with no public exploit identified at time of analysis. The CVSS 9.8 score reflects complete confidentiality, integrity, and availability impact, and Oracle disclosed the issue in its June 2026 Critical Patch Update. Organizations running Fusion Middleware-based content management should treat this as a top-priority patching item given the trivial attack complexity.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35285 CRITICAL Act Now

Authenticated takeover of Oracle WebCenter Enterprise Capture (12.2.1.4.0 and 14.1.2.0.0) is achievable by a low-privileged remote attacker reaching the server via T3 or IIOP protocols, with scope change allowing impact on adjacent products in the Fusion Middleware stack. The CVSS 3.1 base score of 9.9 reflects full confidentiality, integrity, and availability compromise with low attack complexity, and no public exploit identified at time of analysis.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35284 CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible by a low-privileged attacker who can reach the server's T3 or IIOP listener, with a scope change extending impact to additional Fusion Middleware components. Oracle rates the flaw CVSS 9.9 with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis and the CVE is not currently in CISA KEV.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35283 CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible via the Client Bundle component, where a low-privileged attacker with T3/IIOP network access can fully compromise the product with a scope-changed impact on adjacent Fusion Middleware components. The 9.9 CVSS score reflects easy exploitability with high confidentiality, integrity, and availability impact, though there is no public exploit identified at time of analysis. Defenders should treat this as a high-priority patching item given the trivial complexity and broad WebLogic protocol exposure typical of Oracle Fusion Middleware deployments.

Oracle Authentication Bypass Oracle Webcenter Enterprise Capture
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35282 CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible by a low-privileged attacker reaching the T3 or IIOP protocol endpoints, with a scope change that lets the attack significantly impact additional adjacent products. With a CVSS 3.1 score of 9.9 and high confidentiality, integrity, and availability impact, the flaw resides in the Client Bundle component of Oracle Fusion Middleware. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35281 CRITICAL Act Now

Account takeover of Oracle WebCenter Enterprise Capture (12.2.1.4.0 and 14.1.2.0.0) is achievable by a low-privileged attacker with network access to the T3 or IIOP protocols. The CVSS 9.9 score reflects a scope-changing flaw in the Client Bundle component that can pivot beyond the originally compromised product, with full impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis, but Oracle's own CPU advisory confirms the issue and the low attack complexity makes it a high-priority patching target.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-35280 CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged attacker reaching the T3 or IIOP listeners, with a scope change that lets the compromise propagate to other Fusion Middleware components. CVSS 3.1 is rated 9.9 due to high confidentiality, integrity, and availability impact across a changed scope, and no public exploit identified at time of analysis. The flaw resides in the Client Bundle component of this document-capture product and is fixed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35279 HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Monitor component, where an unauthenticated network attacker can compromise the application over HTTP. Although Oracle classifies the issue as difficult to exploit (AC:H), successful attacks yield full confidentiality, integrity, and availability impact with a CVSS 3.1 base score of 8.1. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-35278 CRITICAL Act Now

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor component, allowing unauthenticated network attackers to fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 9.8 critical and describes it as easily exploitable over HTTP, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-35276 HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Server component, where an unauthenticated attacker with HTTP network access can compromise confidentiality, integrity, and availability. Oracle rates the flaw CVSS 8.1 with high attack complexity, and no public exploit identified at time of analysis. The vulnerability is addressed in Oracle's June 2026 Critical Patch Update (CPU).

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-35275 HIGH This Week

Confidentiality and integrity compromise in Oracle VM VirtualBox 7.2.8 (Shared Folders component) allows a low-privileged local attacker on the host to escape the guest/host boundary and access or modify critical data across the scope, including resources outside VirtualBox itself. The flaw is rated CVSS 3.1 7.5 with a scope change, but exploitation is rated High complexity by Oracle and there is no public exploit identified at time of analysis. Patch is available per Oracle's June 2026 Critical Patch Update advisory.

Authentication Bypass Oracle Oracle Vm Virtualbox
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-35274 HIGH This Week

Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenticated remote attackers to compromise the Deployment Package component over HTTP. The flaw yields complete read access to PeopleTools-accessible data and partial write (insert/update/delete) capability without any user interaction or credentials. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low attack complexity and network reachability make it a high-priority patching target.

Authentication Bypass Oracle Peoplesoft Enterprise Pt Peopletools
NVD
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-35272 HIGH This Week

Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, where an unauthenticated attacker with logon access to the underlying host can take over the PeopleTools instance. Oracle rates this 8.4 CVSS with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. The local attack vector keeps remote internet-based mass exploitation unlikely, but any user who can log on to the PeopleTools server should be treated as a critical risk.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
CVSS 3.1
8.4
EPSS
0.2%
CVE-2026-35271 HIGH This Week

Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic component allows attackers with HTTP access to read and modify critical data across PeopleTools and additional products in scope. Oracle rates the issue 8.7 CVSS 3.1 with high attack complexity but no privileges or user interaction, and the scope-change flag means impact extends beyond PeopleTools itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Authentication Bypass Oracle Peoplesoft Enterprise Pt Peopletools
NVD
CVSS 3.1
8.7
EPSS
0.3%
CVE-2026-35270 CRITICAL Act Now

Privileged takeover of Oracle WebCenter Content (Content Server component) affects supported versions 12.2.1.4.0 and 14.1.2.0.0, enabling a high-privileged attacker with HTTP network access to fully compromise the instance and pivot to additional Fusion Middleware products via a scope change. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting low attack complexity and full CIA impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-35269 HIGH This Week

Unauthorized data modification in Oracle Identity Manager (Fusion Middleware) versions 12.2.1.4.0 and 14.1.2.1.0 allows a remote unauthenticated attacker to create, delete, or modify critical identity data via the REST WebServices component over HTTP. Oracle rates the issue as easily exploitable with a CVSS 3.1 base score of 7.5 (integrity-only impact), and no public exploit has been identified at time of analysis.

Authentication Bypass Oracle Identity Manager
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-35268 CRITICAL Act Now

Account takeover in Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 (Fusion Middleware Core component) allows a low-privileged remote attacker to fully compromise the product via T3 or IIOP protocols, with scope change extending impact to other Fusion Middleware components. The CVSS 9.9 score reflects high confidentiality, integrity, and availability impact combined with low attack complexity. No public exploit identified at time of analysis, but Identity Manager's role as a central identity authority makes this a critical patching priority.

Oracle Identity Manager Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35267 HIGH This Week

Account takeover in Oracle Identity Manager (Fusion Middleware) versions 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the Identity Manager instance via its REST WebServices component over HTTP. Oracle rates the flaw CVSS 8.8 with high impact to confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because Identity Manager governs enterprise identity lifecycle and provisioning, successful exploitation has cascading impact across downstream applications it manages.

Oracle Identity Manager Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35265 HIGH This Week

Account takeover in Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker with HTTP access to fully compromise the Identity Manager component of Oracle Fusion Middleware. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, successful exploitation results in takeover of the identity governance platform itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Identity Manager Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35263 CRITICAL Act Now

Remote takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Fusion Middleware, Core component) is achievable by a low-privileged attacker over HTTP, with a CVSS 3.1 score of 9.9 driven by a scope change that lets the impact spread beyond WebLogic itself. Oracle has issued the fix in the June 2026 Critical Patch Update (cspujun2026), and there is no public exploit identified at time of analysis. Authenticated but low-effort exploitation combined with full confidentiality, integrity and availability impact makes this a top-priority patching item for any Oracle middleware estate.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35262 HIGH This Week

Authenticated tampering and data exposure in Oracle Data Integrator 12.2.1.4.0 and 14.1.2.0.0 (Market Place component) allows a low-privileged attacker with HTTP network access to read, modify, or delete all data accessible to the product and induce a partial denial of service. Oracle assigns a CVSS 3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:L), and no public exploit identified at time of analysis. The flaw is described by Oracle as easily exploitable, raising the priority for any externally reachable ODI deployment.

Authentication Bypass Denial Of Service Oracle Oracle Data Integrator
NVD
CVSS 3.1
8.3
EPSS
0.4%
CVE-2026-35261 MEDIUM This Month

Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modification without credentials. Affected deployments running versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Access Manager within Oracle Fusion Middleware are exposed via HTTP on the network, with no user interaction required. The vendor-tagged classification of 'Authentication Bypass' in a component explicitly responsible for authentication processing makes this particularly sensitive given OAM's role as a centralized enterprise SSO and policy enforcement gateway; no public exploit or CISA KEV listing is confirmed at time of analysis.

Authentication Bypass Oracle Oracle Access Manager
NVD
CVSS 3.1
6.5
EPSS
0.3%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Cross-product compromise of Oracle WebCenter Content 14.1.2.0.0 (Fusion Middleware Content Server) allows a remote unauthenticated attacker to abuse a victim's browser session to gain high-impact read and write access to all WebCenter Content data, with scope change extending the impact to additional Oracle products. The CVSS 3.1 base score is 9.3 with a scope-changed vector requiring user interaction (UI:R), and no public exploit identified at time of analysis.

Authentication Bypass Oracle Oracle Webcenter Content
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation to full takeover in Oracle Identity Manager Connector (Fusion Middleware) allows a low-privileged remote attacker with SSH network access to compromise the Generic Unix Connector and pivot into additional Fusion Middleware components via a CVSS scope change. Versions 12.2.1.4.0 and 14.1.2.1.0 are affected, with Oracle rating the issue 9.9 due to high confidentiality, integrity, and availability impact across product boundaries. No public exploit identified at time of analysis, but the AV:N/AC:L profile and SSH-reachable attack surface make this a high-priority Oracle CPU item.

Oracle Identity Manager Connector Privilege Escalation
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Takeover of Oracle Identity Manager Connector (Fusion Middleware) is achievable by a low-privileged remote attacker over HTTP, with a scope-changing impact that extends compromise to additional Oracle products. Oracle rates this 9.9 CVSS 3.1 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Affected releases are 12.2.1.4.0 and 14.1.2.1.0, with the fix delivered in Oracle's June 2026 Critical Patch Update.

Oracle Identity Manager Connector Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Full takeover of Oracle Identity Manager Connector (versions 12.2.1.4.0 and 14.1.2.1.0) is achievable by a low-privileged remote attacker via HTTP against the Generic Unix Connector component, with scope-changed impact reaching additional Oracle Fusion Middleware products. Oracle rates this CVSS 9.9 due to high confidentiality, integrity, and availability impact combined with low attack complexity and minimal privileges. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Identity Manager Connector Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized data disclosure in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows unauthenticated remote attackers to access all data accessible to the application via HTTP. The flaw carries a CVSS 3.1 base score of 7.5 with high confidentiality impact and no integrity or availability impact, and currently has no public exploit identified at time of analysis.

Authentication Bypass Oracle Oracle Webcenter Content
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthorized information disclosure in Oracle WebCenter Content 14.1.2.0.0 exposes a subset of managed content to remote unauthenticated attackers via HTTP against the Content Server component. The intelligence tags classify the mechanism as an Authentication Bypass, suggesting the Content Server fails to enforce access controls on certain requests before serving content. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the zero-complexity, zero-privilege CVSS vector means any network-reachable attacker can attempt exploitation without preconditions.

Oracle Oracle Webcenter Content Information Disclosure
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Remote takeover of Oracle WebCenter Content 14.1.2.0.0 (Content Server component) is achievable by unauthenticated network attackers who can lure a victim into triggering a crafted HTTP interaction, with scope change extending impact to additional products. Oracle's June 2026 Critical Patch Update advisory (cspujun2026) assigns CVSS 9.6 reflecting full confidentiality, integrity, and availability loss, and no public exploit identified at time of analysis.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Takeover of Oracle WebCenter Content 14.1.2.0.0 is possible when a high-privileged attacker over HTTP induces a separate user to interact with crafted content, resulting in full confidentiality, integrity, and availability compromise plus impact on adjacent products via CVSS scope change. The Oracle Critical Patch Update (June 2026) lists this in the Content Server component with a CVSS 3.1 base score of 8.4. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Cross-component compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server) allows a remote unauthenticated attacker who can lure a privileged user into interacting with attacker-controlled content to read or modify all WebCenter Content data and pivot into additional Oracle Fusion Middleware products via a scope change. The CVSS 3.1 base score of 8.0 reflects high confidentiality and integrity impact tempered by high attack complexity and required user interaction, and no public exploit identified at time of analysis.

Authentication Bypass Oracle Oracle Webcenter Content +1
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Account takeover in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a remote unauthenticated attacker to fully compromise the product when a victim user is tricked into interacting with attacker-supplied content over HTTP. The scope-changing flaw carries a CVSS 3.1 base score of 9.6 with high confidentiality, integrity, and availability impact, and there is no public exploit identified at time of analysis. Listed in the ENISA EUVD as EUVD-2026-37304 and addressed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Webcenter Content CSRF
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Cross-component compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server) allows a remote unauthenticated attacker to read, create, modify, or delete all data accessible to the product after coaxing a victim into a single interaction over HTTP. The scope-changed nature means the impact extends beyond WebCenter Content into other Fusion Middleware components sharing trust with it. No public exploit identified at time of analysis, and the issue is not in CISA KEV, but the 9.3 CVSS base score and 'easily exploitable' wording from Oracle place it in the priority-patch tier for the June 2026 CPU.

Authentication Bypass Oracle Oracle Webcenter Content +1
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unauthenticated remote compromise of Oracle WebCenter Content: Imaging (component: Core) in Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0 allows attackers to read and modify all data accessible to the Imaging service over HTTP. The flaw is rated CVSS 9.1 with high confidentiality and integrity impact but no availability impact, and Oracle classifies it as easily exploitable. No public exploit identified at time of analysis, and the CVE is not currently listed on CISA KEV.

Authentication Bypass Oracle Webcenter Content
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Content: Imaging (versions 12.2.1.4.0 and 14.1.2.0.0) is possible via HTTP, per Oracle's June 2026 Critical Patch Update. With a CVSS 3.1 base score of 9.8 and AV:N/AC:L/PR:N/UI:N, the flaw in the Core component enables full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible by a low-privileged attacker with HTTP access to the Client Bundle component, with scope change extending impact to other Oracle Fusion Middleware products. CVSS 9.9 reflects easy exploitation with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible via the RMI-based Client Bundle component, with a maximum CVSS 3.1 score of 10.0 due to a scope change that impacts additional products. Oracle's June 2026 CPU advisory is the authoritative source, and no public exploit identified at time of analysis, though the AV:N/AC:L/PR:N/UI:N profile makes weaponization plausible once technical details emerge.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle WebCenter Content: Imaging (Fusion Middleware) allows a low-privileged authenticated attacker with HTTP network access to fully compromise the Imaging component on versions 12.2.1.4.0 and 14.1.2.0.0. Oracle rates the flaw CVSS 8.8 with high impact across confidentiality, integrity, and availability, and describes it as 'easily exploitable.' No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Oracle Authentication Bypass Webcenter Content
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Takeover of Oracle WebCenter Enterprise Capture is achievable by a low-privileged remote attacker via the T3 protocol in the Client Bundle component, affecting versions 12.2.1.4.0 and 14.1.2.0.0. The flaw carries a CVSS 3.1 base score of 9.9 with a scope change, meaning successful exploitation can significantly impact additional adjacent products beyond the vulnerable component. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible via the Client Bundle component over RMI, allowing unauthenticated network attackers to fully compromise the product and pivot into other Fusion Middleware components due to a CVSS scope change. With a maximum 10.0 CVSS score, low attack complexity, and no privileges or user interaction required, this is a top-priority issue, though no public exploit identified at time of analysis. Oracle disclosed the issue in its June 2026 Critical Patch Update.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unauthenticated remote compromise of Oracle WebCenter Content (Fusion Middleware Content Server) in versions 12.2.1.4.0 and 14.1.2.0.0 allows network-based attackers to read, create, modify, or delete any data accessible to the Content Server via HTTP. The flaw carries a CVSS 3.1 base score of 9.1 with high confidentiality and integrity impact, no authentication, and low attack complexity. No public exploit identified at time of analysis, but Oracle's tagging as an authentication-bypass class issue and the trivial exploitability profile make it a high-priority patch target.

Authentication Bypass Oracle Oracle Webcenter Content
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Unauthenticated LDAP-based compromise of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 allows remote attackers to create, delete, or modify critical directory data, read a subset of directory data, and trigger a partial denial of service. The flaw resides in the OUD Core component and was disclosed in Oracle's June 2026 Critical Patch Update with a CVSS 3.1 base score of 8.6; no public exploit identified at time of analysis and the issue is not in CISA KEV.

Denial Of Service Oracle Oracle Unified Directory +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 is possible via the OUD Core component's RMI interface, allowing unauthenticated network attackers to fully compromise the LDAP directory service. Oracle rates this CVSS 9.8 with confidentiality, integrity, and availability impacts; no public exploit identified at time of analysis and it is not currently listed in CISA KEV, but the RMI attack surface and trivial complexity make it a high-priority patching target.

Oracle Oracle Unified Directory Authentication Bypass
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated LDAP-based takeover of Oracle Unified Directory affects supported versions 12.2.1.4.0 and 14.1.2.1.0 within Oracle Fusion Middleware, allowing a remote attacker with network reachability to the LDAP service to fully compromise the directory server. The flaw carries a CVSS 3.1 base score of 9.8 with high confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because directory services underpin enterprise identity, successful exploitation cascades into authentication and authorization decisions for every downstream application that relies on OUD.

Oracle Oracle Unified Directory Authentication Bypass
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnerability in the ADF Faces component that allows a high-privileged attacker with infrastructure-level logon to bypass access controls and exfiltrate all ADF-accessible data. The CVSS vector (AV:L/AC:H/PR:H) confines exploitation to actors who already possess elevated local system access, making this a post-compromise lateral escalation risk rather than an initial entry point. No public exploit exists and this CVE is not listed in the CISA KEV catalog; however, the 'Authentication Bypass' tag suggests the flaw undermines role-based or session-level access separation within ADF Faces despite the attacker already holding high privileges.

Authentication Bypass Oracle Oracle Application Development Framework Adf
NVD VulDB
EPSS 0% CVSS 4.1
MEDIUM This Month

Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 exposes all ADF-accessible data to a high-privileged local attacker who can exploit the Java Business Objects component. The vulnerability requires physical or logical access to the infrastructure host and a high-complexity attack path, substantially limiting realistic threat surface. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; Oracle addressed this issue in the June 2026 Critical Security Patch Update.

Authentication Bypass Java Oracle +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting or authentication bypass in Oracle Application Development Framework (ADF) Security Framework component allows network-based unauthenticated attackers to compromise versions 12.2.1.4.0 and 14.1.2.0.0 via HTTP when a victim user interacts with a malicious payload. Successful exploitation results in unauthorized read access to a subset of ADF data and unauthorized modification of ADF-accessible data, with a confirmed scope change indicating downstream impact on additional Oracle Fusion Middleware products. No public exploit has been identified at time of analysis, and no CISA KEV listing exists.

Authentication Bypass Oracle Oracle Application Development Framework Adf
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0, where an attacker with high privileges and HTTP network access to the ADF Shared Components can fully compromise the product. The CVSS 3.1 base score is 7.2 with high impact to confidentiality, integrity, and availability, and Oracle classifies the issue as easily exploitable once authentication is obtained. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Oracle Oracle Application Development Framework Adf Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM This Month

Denial-of-service in Oracle VM VirtualBox 7.2.8 affects the VMSVGA virtual graphics device emulation layer, allowing a highly privileged local attacker to cause a persistent hang or fully repeatable crash of the hypervisor process. The CVSS Scope:Changed metric signals that the DoS impact propagates beyond the attacker's own guest VM, potentially destabilizing the host process and all co-resident VMs - a meaningful concern in multi-tenant and VDI environments. No public exploit code exists and no CISA KEV listing is present at time of analysis; exploitation is bounded by the requirement for high-privileged local access to the infrastructure.

Oracle Oracle Vm Virtualbox Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation to full takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker with HTTP network access to compromise the Composer component and, due to a CVSS scope change, impact additional downstream products. The flaw carries a CVSS 3.1 base score of 9.9 and is marked easily exploitable by Oracle, though no public exploit identified at time of analysis. EPSS data and CISA KEV status are not provided in the available intelligence.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP requests to the Content Server component, per Oracle's June 2026 CPU advisory. The CVSS 9.8 score reflects full confidentiality, integrity, and availability impact with no authentication required. Status is no public exploit identified at time of analysis, but trivial exploitability against an internet-facing enterprise content platform makes this a priority patching candidate.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation and full takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged remote attacker through the Composer component, with a scope change that lets the impact reach additional products in the Fusion Middleware stack. Oracle rates the flaw 9.9 CVSS due to the combination of low attack complexity, low privilege requirement, and full CIA impact, and no public exploit has been identified at time of analysis.

Oracle Oracle Webcenter Portal Authentication Bypass
NVD
EPSS 0% CVSS 7.6
HIGH This Week

Cross-tenant data exposure in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker to compromise the Content Server component via HTTPS when a victim is tricked into interacting with attacker-supplied content. The flaw produces a scope change, meaning successful exploitation can reach beyond WebCenter Content itself, yielding high confidentiality loss and limited integrity modifications. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Oracle Oracle Webcenter Content
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Full takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible when a high-privileged attacker reaches the Content Server over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw yields complete confidentiality, integrity, and availability compromise (CVSS 7.2) but requires existing elevated privileges, and no public exploit identified at time of analysis. Exploitation is rated easy once the privilege bar is met, making this a priority for environments where many users hold administrative roles in Content Server.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation to full product takeover in Oracle WebCenter Content (Content Server component) versions 12.2.1.4.0 and 14.1.2.0.0 allows low-privileged attackers with HTTP network access to fully compromise the system. The CVSS 3.1 base score of 8.8 reflects high impact across confidentiality, integrity, and availability with low attack complexity. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 (Content Server component) allows a low-privileged authenticated attacker with HTTP network access to fully compromise the product, impacting confidentiality, integrity, and availability. Oracle rates this 8.8 (CVSS 3.1) and describes it as 'easily exploitable.' No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible by a low-privileged attacker sending HTTP requests to the Content Server component, with a scope change that can significantly impact additional products. Oracle rates this 9.9 CVSS and describes it as easily exploitable, and no public exploit identified at time of analysis. Reported in the Oracle Critical Patch Update for June 2026, the flaw enables full compromise of the WebCenter Content instance and any in-scope downstream systems.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker to fully compromise the Content Server over HTTP. Oracle's June 2026 Critical Patch Update rates this 8.8 with complete confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis.

Oracle Oracle Webcenter Content Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged remote attacker over HTTP, with scope change enabling impact on adjacent products in the Fusion Middleware stack. The flaw carries a CVSS 3.1 base score of 9.9 and is described by Oracle as easily exploitable, though no public exploit identified at time of analysis. Authenticated access to the Content Server is the only meaningful barrier, making this a high-priority patch item for enterprises using WebCenter Content for document management.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

Remote takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible through the Content Server component, allowing an unauthenticated network attacker to fully compromise the product with cascading impact to other Oracle Fusion Middleware components due to a scope change. Oracle assigned a CVSS 3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), and no public exploit identified at time of analysis. The high attack complexity tempers the otherwise critical rating, but a successful exploit yields complete takeover.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible via the Content Server component over HTTP, scored CVSS 9.8 by Oracle. No public exploit identified at time of analysis, but the low attack complexity and lack of authentication requirement make this a high-priority patch target for any Oracle Fusion Middleware environment exposing WebCenter Content.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker with HTTP access to fully compromise the product. The flaw is rated CVSS 8.8 with high impact across confidentiality, integrity, and availability, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged attacker with HTTP network access to fully compromise the Content Server component. Oracle rates the flaw 8.8 with high impact across confidentiality, integrity and availability, and characterizes it as easily exploitable. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the vendor's 'takeover' wording and low complexity make this a priority patch.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 (Content Server component) allows a low-privileged remote attacker to compromise the application over HTTP and pivot to other products via a scope change. The CVSS 3.1 base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting easy exploitation with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 (Content Server component) lets a low-privileged remote attacker fully compromise the platform over HTTP without user interaction. Oracle's own CVSS 3.1 score of 8.8 reflects high impact across confidentiality, integrity, and availability, and there is no public exploit identified at time of analysis. Disclosed via the Oracle Critical Security Patch Update advisory (cspujun2026), making this a vendor-confirmed flaw rather than third-party speculation.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plugin component over HTTP, allowing attackers to alter or read subsets of OAM data and trigger partial denial of service. The flaw carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N) and is rated easily exploitable by Oracle. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Denial Of Service Oracle Oracle Access Manager +1
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the identity broker via the Authentication Engine component, with a CVSS 9.9 score reflecting a scope-changing impact on downstream protected applications. No public exploit identified at time of analysis, but Oracle's June 2026 Critical Patch Update flags it as easily exploitable over HTTP, making it a high-priority patch for any environment using OAM for SSO/federation.

Oracle Oracle Access Manager Authentication Bypass
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated takeover of Oracle Virtual Directory 12.2.1.4.0 and 14.1.2.0.0 is possible via crafted LDAP traffic, yielding full confidentiality, integrity, and availability impact (CVSS 9.8). The flaw lives in the Virtual Directory Server component of Oracle Fusion Middleware and is described by Oracle as easily exploitable over the network with no authentication or user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Virtual Directory Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated remote code execution in Oracle WebLogic Server 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged attacker with HTTP access to fully take over the server, per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 8.8 reflects full confidentiality, integrity, and availability impact with low attack complexity. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle Coherence (Fusion Middleware component) is possible by unauthenticated network attackers reaching the HTTP interface, per Oracle's June 2026 Critical Patch Update. Affected versions span 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0, with a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network reach make this a top-priority patch for any exposed Coherence cluster.

Oracle Oracle Coherence Authentication Bypass
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle Coherence is possible by unauthenticated attackers with HTTP network access to affected Fusion Middleware deployments running versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0. The flaw resides in the Centralized Third Party Jars component and carries a critical 9.8 CVSS score with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the trivial attack profile and Oracle's CPU disclosure pattern make weaponization likely.

Oracle Oracle Coherence Authentication Bypass
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote takeover of Oracle Coherence (Fusion Middleware) via the Centralized Third Party Jars component allows an unauthenticated network attacker over HTTP to fully compromise affected deployments, with scope change permitting impact on additional connected products. Supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 carry a maximum CVSS 3.1 base score of 10.0 across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Coherence Authentication Bypass
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote takeover of Oracle Coherence is possible via HTTP by an unauthenticated network attacker, affecting Oracle Fusion Middleware versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries the maximum CVSS 3.1 base score of 10.0 with scope change, meaning successful exploitation can pivot impact into other products that rely on the Coherence cluster. No public exploit identified at time of analysis, but the trivial attack complexity and Oracle's critical scoring make this a top-priority patch item.

Oracle Oracle Coherence Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware, Centralized Third Party Jars component) allows network-based attackers to read all Coherence-accessible data and perform limited data modification over HTTP, with a scope change that can impact additional products in the same deployment. Oracle rates the issue CVSS 9.3 and describes it as easily exploitable; no public exploit identified at time of analysis and it is not currently on the CISA KEV list.

Authentication Bypass Oracle Oracle Coherence
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware) via HTTP allows attackers to read all accessible data and modify a subset, with a scope change that can impact adjacent products. CVSS 3.1 base score is 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) and no public exploit is identified at time of analysis, though the low attack complexity and unauthenticated network reachability make this a high-priority Critical Patch Update item.

Authentication Bypass Oracle Oracle Coherence
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated takeover of Oracle Coherence (Oracle Fusion Middleware) is possible over HTTPS, affecting supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and at the time of analysis no public exploit identified at time of analysis.

Oracle Oracle Coherence Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated remote takeover in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 via the Console component allows a low-privileged attacker with HTTP network access to fully compromise the server. Oracle rates the flaw CVSS 8.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The advisory was published in Oracle's June 2026 Critical Patch Update, making this a priority patching item for enterprise middleware operators.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Server takeover in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 (Console component) allows a remote unauthenticated attacker who can lure an authenticated user into interacting with a crafted HTTP request to fully compromise the server with a scope change to other products. CVSS 8.3 reflects high impact tempered by high attack complexity and required user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Weblogic Server Open Redirect
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an unauthenticated network attacker to fully compromise the server with a scope change that impacts adjacent products. The CVSS 3.1 base score of 10.0 reflects the worst-case combination of network reachability, low complexity, no privileges, and full CIA impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by unauthenticated attackers with TCP network access to the Core component. Oracle rates this 9.8 with full confidentiality, integrity, and availability impact, and characterizes it as 'easily exploitable,' though no public exploit identified at time of analysis. The flaw is disclosed via the Oracle Critical Patch Update for June 2026 and currently shows no CISA KEV listing or EPSS data.

Oracle Weblogic Server Deserialization
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is achievable through the administrative Console component, where a low-privileged HTTP-authenticated attacker can fully compromise confidentiality, integrity, and availability of the server. Oracle reports the issue as easily exploitable and rates it CVSS 8.8, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV. The flaw poses a significant risk to enterprise Java EE deployments where the WebLogic Console is reachable by any authenticated user.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authenticated takeover of Oracle WebLogic Server (Fusion Middleware Core component) is possible by a high-privileged attacker over HTTP, with a scope change that can impact additional products beyond WebLogic itself. Affected versions are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0, with a CVSS 3.1 base score of 9.1. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated attackers over HTTP, with full compromise of confidentiality, integrity, and availability per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects network-reachable, low-complexity exploitation with no user interaction, placing this among the most severe Fusion Middleware issues in the cycle. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible when a low-privileged attacker with HTTP network access successfully chains a high-complexity exploit path in the WebCenter Sites component, resulting in full confidentiality, integrity, and availability compromise. Oracle's June 2026 Critical Patch Update disclosure rates this CVSS 7.5 with AC:H/PR:L, meaning a valid (even low-tier) account plus non-trivial conditions are required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Account takeover in Oracle Identity Manager Connector (Fusion Middleware, Mainframe Connectors component) versions 12.2.1.4.0 and 14.1.2.1.0 allows an authenticated low-privileged attacker to fully compromise the connector over HTTP and pivot to other products via a CVSS scope change. The flaw carries a 9.9 CVSS 3.1 score with high confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, and CISA KEV does not list it.

Information Disclosure Oracle Identity Manager Connector
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution and full product takeover affects Oracle WebCenter Sites 14.1.2.0.0 within Oracle Fusion Middleware, enabling unauthenticated attackers to compromise the platform over HTTP. Oracle's June 2026 Critical Patch Update rates this 9.8 (CVSS 3.1) with confidentiality, integrity, and availability all marked High, and Oracle describes it as easily exploitable. No public exploit identified at time of analysis, and CWE classification is not provided in the supplied data.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network attackers to fully compromise the server over HTTP with no user interaction, earning the maximum CVSS 10.0 due to a scope change that can impact adjacent products. Oracle's June 2026 Critical Patch Update is the sole intelligence source; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.6
MEDIUM This Month

Full server takeover is possible in Oracle WebLogic Server's Console component, affecting versions 14.1.2.0.0 and 15.1.1.0.0 via HTTP over a network. Exploitation requires a high-privileged attacker and high attack complexity, limiting the realistic threat surface to scenarios where administrative credentials are already compromised or an insider threat is present. No public exploit code and no CISA KEV listing have been identified at the time of analysis; this was disclosed as part of Oracle's Critical Patch Update (CPU) for June 2026.

Oracle Weblogic Server Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, allowing an unauthenticated network attacker to fully compromise confidentiality, integrity, and availability of the application. Oracle rates this as difficult to exploit (AC:H) but assigns a CVSS 3.1 score of 8.1 due to the complete takeover impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package component) allows a high-privileged attacker with logon access to the underlying infrastructure to fully compromise PeopleTools with a scope change that impacts additional products. Oracle rates this CVSS 8.2 and confirms it is easily exploitable once the attacker has the required local privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to fully compromise the Content Server component via HTTP, with no public exploit identified at time of analysis. The CVSS 9.8 score reflects complete confidentiality, integrity, and availability impact, and Oracle disclosed the issue in its June 2026 Critical Patch Update. Organizations running Fusion Middleware-based content management should treat this as a top-priority patching item given the trivial attack complexity.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Authenticated takeover of Oracle WebCenter Enterprise Capture (12.2.1.4.0 and 14.1.2.0.0) is achievable by a low-privileged remote attacker reaching the server via T3 or IIOP protocols, with scope change allowing impact on adjacent products in the Fusion Middleware stack. The CVSS 3.1 base score of 9.9 reflects full confidentiality, integrity, and availability compromise with low attack complexity, and no public exploit identified at time of analysis.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible by a low-privileged attacker who can reach the server's T3 or IIOP listener, with a scope change extending impact to additional Fusion Middleware components. Oracle rates the flaw CVSS 9.9 with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis and the CVE is not currently in CISA KEV.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible via the Client Bundle component, where a low-privileged attacker with T3/IIOP network access can fully compromise the product with a scope-changed impact on adjacent Fusion Middleware components. The 9.9 CVSS score reflects easy exploitability with high confidentiality, integrity, and availability impact, though there is no public exploit identified at time of analysis. Defenders should treat this as a high-priority patching item given the trivial complexity and broad WebLogic protocol exposure typical of Oracle Fusion Middleware deployments.

Oracle Authentication Bypass Oracle Webcenter Enterprise Capture
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible by a low-privileged attacker reaching the T3 or IIOP protocol endpoints, with a scope change that lets the attack significantly impact additional adjacent products. With a CVSS 3.1 score of 9.9 and high confidentiality, integrity, and availability impact, the flaw resides in the Client Bundle component of Oracle Fusion Middleware. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Account takeover of Oracle WebCenter Enterprise Capture (12.2.1.4.0 and 14.1.2.0.0) is achievable by a low-privileged attacker with network access to the T3 or IIOP protocols. The CVSS 9.9 score reflects a scope-changing flaw in the Client Bundle component that can pivot beyond the originally compromised product, with full impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis, but Oracle's own CPU advisory confirms the issue and the low attack complexity makes it a high-priority patching target.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged attacker reaching the T3 or IIOP listeners, with a scope change that lets the compromise propagate to other Fusion Middleware components. CVSS 3.1 is rated 9.9 due to high confidentiality, integrity, and availability impact across a changed scope, and no public exploit identified at time of analysis. The flaw resides in the Client Bundle component of this document-capture product and is fixed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Webcenter Enterprise Capture Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Monitor component, where an unauthenticated network attacker can compromise the application over HTTP. Although Oracle classifies the issue as difficult to exploit (AC:H), successful attacks yield full confidentiality, integrity, and availability impact with a CVSS 3.1 base score of 8.1. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor component, allowing unauthenticated network attackers to fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 9.8 critical and describes it as easily exploitable over HTTP, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Server component, where an unauthenticated attacker with HTTP network access can compromise confidentiality, integrity, and availability. Oracle rates the flaw CVSS 8.1 with high attack complexity, and no public exploit identified at time of analysis. The vulnerability is addressed in Oracle's June 2026 Critical Patch Update (CPU).

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Confidentiality and integrity compromise in Oracle VM VirtualBox 7.2.8 (Shared Folders component) allows a low-privileged local attacker on the host to escape the guest/host boundary and access or modify critical data across the scope, including resources outside VirtualBox itself. The flaw is rated CVSS 3.1 7.5 with a scope change, but exploitation is rated High complexity by Oracle and there is no public exploit identified at time of analysis. Patch is available per Oracle's June 2026 Critical Patch Update advisory.

Authentication Bypass Oracle Oracle Vm Virtualbox
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenticated remote attackers to compromise the Deployment Package component over HTTP. The flaw yields complete read access to PeopleTools-accessible data and partial write (insert/update/delete) capability without any user interaction or credentials. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low attack complexity and network reachability make it a high-priority patching target.

Authentication Bypass Oracle Peoplesoft Enterprise Pt Peopletools
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, where an unauthenticated attacker with logon access to the underlying host can take over the PeopleTools instance. Oracle rates this 8.4 CVSS with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. The local attack vector keeps remote internet-based mass exploitation unlikely, but any user who can log on to the PeopleTools server should be treated as a critical risk.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic component allows attackers with HTTP access to read and modify critical data across PeopleTools and additional products in scope. Oracle rates the issue 8.7 CVSS 3.1 with high attack complexity but no privileges or user interaction, and the scope-change flag means impact extends beyond PeopleTools itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Authentication Bypass Oracle Peoplesoft Enterprise Pt Peopletools
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Privileged takeover of Oracle WebCenter Content (Content Server component) affects supported versions 12.2.1.4.0 and 14.1.2.0.0, enabling a high-privileged attacker with HTTP network access to fully compromise the instance and pivot to additional Fusion Middleware products via a scope change. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting low attack complexity and full CIA impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthorized data modification in Oracle Identity Manager (Fusion Middleware) versions 12.2.1.4.0 and 14.1.2.1.0 allows a remote unauthenticated attacker to create, delete, or modify critical identity data via the REST WebServices component over HTTP. Oracle rates the issue as easily exploitable with a CVSS 3.1 base score of 7.5 (integrity-only impact), and no public exploit has been identified at time of analysis.

Authentication Bypass Oracle Identity Manager
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Account takeover in Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 (Fusion Middleware Core component) allows a low-privileged remote attacker to fully compromise the product via T3 or IIOP protocols, with scope change extending impact to other Fusion Middleware components. The CVSS 9.9 score reflects high confidentiality, integrity, and availability impact combined with low attack complexity. No public exploit identified at time of analysis, but Identity Manager's role as a central identity authority makes this a critical patching priority.

Oracle Identity Manager Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Identity Manager (Fusion Middleware) versions 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the Identity Manager instance via its REST WebServices component over HTTP. Oracle rates the flaw CVSS 8.8 with high impact to confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because Identity Manager governs enterprise identity lifecycle and provisioning, successful exploitation has cascading impact across downstream applications it manages.

Oracle Identity Manager Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker with HTTP access to fully compromise the Identity Manager component of Oracle Fusion Middleware. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, successful exploitation results in takeover of the identity governance platform itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Identity Manager Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Fusion Middleware, Core component) is achievable by a low-privileged attacker over HTTP, with a CVSS 3.1 score of 9.9 driven by a scope change that lets the impact spread beyond WebLogic itself. Oracle has issued the fix in the June 2026 Critical Patch Update (cspujun2026), and there is no public exploit identified at time of analysis. Authenticated but low-effort exploitation combined with full confidentiality, integrity and availability impact makes this a top-priority patching item for any Oracle middleware estate.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Authenticated tampering and data exposure in Oracle Data Integrator 12.2.1.4.0 and 14.1.2.0.0 (Market Place component) allows a low-privileged attacker with HTTP network access to read, modify, or delete all data accessible to the product and induce a partial denial of service. Oracle assigns a CVSS 3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:L), and no public exploit identified at time of analysis. The flaw is described by Oracle as easily exploitable, raising the priority for any externally reachable ODI deployment.

Authentication Bypass Denial Of Service Oracle +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modification without credentials. Affected deployments running versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Access Manager within Oracle Fusion Middleware are exposed via HTTP on the network, with no user interaction required. The vendor-tagged classification of 'Authentication Bypass' in a component explicitly responsible for authentication processing makes this particularly sensitive given OAM's role as a centralized enterprise SSO and policy enforcement gateway; no public exploit or CISA KEV listing is confirmed at time of analysis.

Authentication Bypass Oracle Oracle Access Manager
NVD
Prev Page 3 of 87 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy