426
CVEs
32
Critical
106
High
5
KEV
11
PoC
97
Unpatched C/H
37.6%
Patch Rate
1.3%
Avg EPSS
Severity Breakdown
CRITICAL
32
HIGH
106
MEDIUM
263
LOW
25
Monthly CVE Trend
Affected Products (30)
MySQL
70
Mysql Server
66
Java
38
Vm Virtualbox
19
Jd Edwards Enterpriseone Tools
18
Virtualbox
14
Mysql Cluster
11
MSSQL
11
Python
8
Oracle Rest Data Services
8
Docker
7
Jre
7
Graalvm For Jdk
7
Solaris
7
Jdk
7
Graalvm
6
Peoplesoft Enterprise Peopletools
6
PHP
5
Node.js
5
Agile Product Lifecycle Management
4
E Business Suite
4
Linux Kernel
4
PostgreSQL
4
Communications Order And Service Management
4
Configurator
3
Life Sciences Central Designer
3
Java Virtual Machine
3
Hospitality Opera 5
3
Open Redirect
3
Oracle Database Server
3
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2012-4681 | Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName methods, enabling complete sandbox escape for untrusted applets. Massively exploited by exploit kits in 2012. | CRITICAL | 9.8 | 94.1% | 223 |
KEV
PoC
No patch
|
| CVE-2013-2465 | Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthenticated attackers to execute arbitrary code and escape security restrictions. Affects Oracle JRE 5.0 through Update 45, 6 through Update 45, 7 through Update 21, and OpenJDK 7. Confirmed actively exploited (CISA KEV) with 93.22% EPSS probability and publicly available exploit code. Oracle released patches in June 2013 CPU addressing the vulnerability through image channel verification corrections. | CRITICAL | 9.8 | 93.2% | 222 |
KEV
PoC
|
| CVE-2011-3544 | Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise through malicious Java Web Start applications and untrusted applets exploiting the Scripting component. CISA KEV confirms active exploitation in the wild. EPSS score of 92.59% (100th percentile) indicates extremely high probability of mass exploitation. Public exploit code exists, making this a critical priority for any environment running affected Java versions despite the vulnerability's age. | CRITICAL | 9.8 | 92.6% | 222 |
KEV
PoC
|
| CVE-2017-10271 | Oracle WebLogic Server allows unauthenticated remote code execution through the WLS Security component's T3 protocol, massively exploited for cryptocurrency mining and botnet recruitment from 2017 onward. | HIGH | 7.5 | 94.4% | 212 |
KEV
PoC
|
| CVE-2013-2460 | Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrary code via insufficient access checks in the tracing/serviceability component. Publicly available exploit code exists for this medium-complexity network attack, which achieved a 92.14% EPSS score (100th percentile), indicating extremely high likelihood of exploitation. Oracle addressed this vulnerability in their June 2013 Critical Patch Update, though the exact nature of the serviceability component flaw was not fully disclosed by the vendor. | CRITICAL | 9.3 | 92.1% | 169 |
PoC
No patch
|
| CVE-2015-4902 | Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60 allows remote attackers to affect integrity via unknown vectors related to Deploymen | MEDIUM | 5.3 | 7.7% | 94 |
KEV
|
| CVE-2026-21992 | A critical authentication bypass vulnerability in Oracle Identity Manager and Oracle Web Services Manager allows remote attackers to completely compromise affected systems without any credentials. The vulnerability resides in the REST WebServices and Web Services Security components, affecting versions 12.2.1.4.0 and 14.1.2.1.0 of both products. With a CVSS score of 9.8 and no authentication required, this represents a severe risk to identity management infrastructure, though no current KEV listing or public POC has been documented in available sources. | CRITICAL | 9.8 | 0.0% | 69 |
PoC
No patch
|
| CVE-2025-30712 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Rated high severity (CVSS 8.1), this vulnerability is low attack complexity. Public exploit code available. | HIGH | 8.1 | 0.1% | 61 |
PoC
|
| CVE-2024-36259 | Improper access control in mail module of Odoo Community 17.0 and Odoo Enterprise 17.0 allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | HIGH | 7.5 | 0.1% | 58 |
PoC
No patch
|
| CVE-2026-28490 | Authlib's implementation of the JWE RSA1_5 key management algorithm contains a padding oracle vulnerability that leaks decryption failures through timing and exception patterns, allowing attackers to decrypt sensitive data without the private key. The library disabled the constant-time protections provided by the underlying cryptography library and raises exceptions before tag validation completes, creating a reliable side-channel. Public exploit code exists for this vulnerability affecting Authlib users in Python and related Oracle products. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
|
| CVE-2026-21962 | Oracle HTTP Server and WebLogic Server Proxy Plug-in have a CVSS 10.0 access control vulnerability allowing unauthenticated network attackers to fully compromise the middleware layer. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-46840 | Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to compromise the service over HTTPS and pivot into adjacent products due to a scope-changing flaw. With a maximum CVSS 10.0 score and trivial exploitability (AV:N/AC:L/PR:N/UI:N), this Backend-as-a-Service component vulnerability poses critical risk, though no public exploit identified at time of analysis and no EPSS or CISA KEV signal has been provided in the available data. | CRITICAL | 10.0 | – | 50 |
No patch
|
| CVE-2025-30727 | Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: iSurvey Module). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 1.0% | 50 |
No patch
|
| CVE-2024-56158 | Critical SQL injection vulnerability in XWiki that allows unauthenticated remote attackers to execute arbitrary SQL queries against Oracle databases by exploiting insufficient validation of native SQL functions (DBMS_XMLGEN, DBMS_XMLQUERY) in Hibernate query processing. The vulnerability affects XWiki versions before 16.10.2, 16.4.7, and 15.10.16, with a CVSS score of 9.8 indicating critical severity and complete compromise of confidentiality, integrity, and availability. This is a pre-authentication remote code execution vector with no user interaction required. | CRITICAL | 9.8 | 0.7% | 50 |
|
| CVE-2025-20286 | Default credentials in Cisco ISE cloud deployments on AWS/Azure/OCI. CVSS 9.9. | CRITICAL | 9.9 | 0.1% | 50 |
No patch
|