273
CVEs
125
Critical
111
High
1
KEV
6
PoC
223
Unpatched C/H
9.9%
Patch Rate
0.4%
Avg EPSS
Severity Breakdown
CRITICAL
125
HIGH
111
MEDIUM
25
LOW
11
Monthly CVE Trend
Affected Products (30)
MySQL
1171
Java
889
Jre
721
Jdk
714
Oncommand Insight
692
Oncommand Workflow Automation
527
Ubuntu Linux
454
Active Iq Unified Manager
452
Snapcenter
445
Debian Linux
410
Vm Virtualbox
374
MariaDB
322
Enterprise Linux Server Aus
299
Enterprise Linux Eus
288
Enterprise Linux Desktop
279
Enterprise Linux Workstation
279
Solaris
279
Enterprise Linux Server
279
Fedora
270
Enterprise Linux Server Tus
269
Fusion Middleware
241
Peoplesoft Enterprise Peopletools
212
Weblogic Server
198
Database Server
192
Mysql Server
185
Leap
183
E Business Suite
177
Outside In Technology
165
Enterprise Linux
163
E Series Santricity Os Controller
150
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-55255 | Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing the victim's flow UUID as the `model` value to the `/api/v1/responses` endpoint, exposing data the victim's flow processes and consuming their resources. The flaw is an Insecure Direct Object Reference (CWE-639) in the `get_flow_by_id_or_endpoint_name` helper, which skipped ownership checks on the UUID lookup path. Publicly available exploit code exists (a working curl PoC), and the input lists it as confirmed actively exploited (CISA KEV), though the SSVC exploitation status of 'poc' and a low 0.24% EPSS complicate that claim (see risk_assessment). | HIGH | 8.4 | 0.2% | 112 |
KEV
PoC
|
| CVE-2026-35308 | Remote takeover of Oracle Coherence (Fusion Middleware) via the Centralized Third Party Jars component allows an unauthenticated network attacker over HTTP to fully compromise affected deployments, with scope change permitting impact on additional connected products. Supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 carry a maximum CVSS 3.1 base score of 10.0 across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-46778 | Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible via the Client Bundle component over RMI, allowing unauthenticated network attackers to fully compromise the product and pivot into other Fusion Middleware components due to a CVSS scope change. With a maximum 10.0 CVSS score, low attack complexity, and no privileges or user interaction required, this is a top-priority issue, though no public exploit identified at time of analysis. Oracle disclosed the issue in its June 2026 Critical Patch Update. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-46803 | Unauthenticated remote takeover of Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP via a flaw in the Security Framework component, with a scope change extending impact to additional Oracle Fusion Middleware products. The maximum CVSS 3.1 score of 10.0 reflects network-reachable exploitation with no authentication or user interaction and full confidentiality, integrity, and availability loss; no public exploit identified at time of analysis, but the trivial attack profile makes this a top-priority patch. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-46846 | Complete takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by unauthenticated remote attackers via crafted HTTP requests to the Security Framework component, with CVSS 10.0 reflecting a scope change that lets the compromise extend beyond WebCenter into adjacent Fusion Middleware products. No public exploit identified at time of analysis, but the combination of network attack vector, low complexity, no privileges, no user interaction, and Oracle's own 'easily exploitable' wording makes this a top-priority patching event. Vendor-released patch is available via the Oracle Critical Patch Update of June 2026 (CPUJUN2026). | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-35292 | Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network attackers to fully compromise the server over HTTP with no user interaction, earning the maximum CVSS 10.0 due to a scope change that can impact adjacent products. Oracle's June 2026 Critical Patch Update is the sole intelligence source; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-35301 | Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an unauthenticated network attacker to fully compromise the server with a scope change that impacts adjacent products. The CVSS 3.1 base score of 10.0 reflects the worst-case combination of network reachability, low complexity, no privileges, and full CIA impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-46781 | Remote unauthenticated takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible via the RMI-based Client Bundle component, with a maximum CVSS 3.1 score of 10.0 due to a scope change that impacts additional products. Oracle's June 2026 CPU advisory is the authoritative source, and no public exploit identified at time of analysis, though the AV:N/AC:L/PR:N/UI:N profile makes weaponization plausible once technical details emerge. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-35307 | Remote takeover of Oracle Coherence is possible via HTTP by an unauthenticated network attacker, affecting Oracle Fusion Middleware versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries the maximum CVSS 3.1 base score of 10.0 with scope change, meaning successful exploitation can pivot impact into other products that rely on the Coherence cluster. No public exploit identified at time of analysis, but the trivial attack complexity and Oracle's critical scoring make this a top-priority patch item. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-46978 | Unauthenticated remote compromise of Oracle Solaris 11.4 Remote Administration Daemon (RAD) allows network attackers to read, modify, create, or delete critical data with scope change impacting adjacent products. The CVSS 3.1 base score of 10.0 with AV:N/AC:L/PR:N/UI:N reflects trivial network exploitability over HTTPS without authentication, and no public exploit identified at time of analysis. The scope-change designation indicates that successful exploitation breaches the security authority of RAD and propagates impact to other Solaris-managed components. | CRITICAL | 10.0 | 0.4% | 50 |
No patch
|
| CVE-2026-46798 | Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated network attackers over HTTP, with a CVSS 3.1 base score of 10.0 reflecting a scope change that can impact adjacent products. No public exploit identified at time of analysis, but Oracle has rated the issue as easily exploitable and released a fix in the June 2026 Critical Patch Update. | CRITICAL | 10.0 | 0.5% | 50 |
No patch
|
| CVE-2026-46800 | Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with a maximum CVSS 3.1 base score of 10.0 and a scope change indicating impact beyond the WebCenter Sites boundary. Oracle's June 2026 Critical Patch Update advisory (cspujun2026) lists the issue as easily exploitable with no privileges or user interaction required. There is no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV. | CRITICAL | 10.0 | 0.5% | 50 |
No patch
|
| CVE-2026-35282 | Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible by a low-privileged attacker reaching the T3 or IIOP protocol endpoints, with a scope change that lets the attack significantly impact additional adjacent products. With a CVSS 3.1 score of 9.9 and high confidentiality, integrity, and availability impact, the flaw resides in the Client Bundle component of Oracle Fusion Middleware. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list. | CRITICAL | 9.9 | 0.5% | 50 |
No patch
|
| CVE-2026-46793 | Takeover of Oracle Identity Manager Connector (Fusion Middleware) is achievable by a low-privileged remote attacker over HTTP, with a scope-changing impact that extends compromise to additional Oracle products. Oracle rates this 9.9 CVSS 3.1 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Affected releases are 12.2.1.4.0 and 14.1.2.1.0, with the fix delivered in Oracle's June 2026 Critical Patch Update. | CRITICAL | 9.9 | 0.5% | 50 |
No patch
|
| CVE-2026-46765 | Privilege escalation and full takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged remote attacker through the Composer component, with a scope change that lets the impact reach additional products in the Fusion Middleware stack. Oracle rates the flaw 9.9 CVSS due to the combination of low attack complexity, low privilege requirement, and full CIA impact, and no public exploit has been identified at time of analysis. | CRITICAL | 9.9 | 0.5% | 50 |
No patch
|