Skip to main content

Oracle

Vendor security scorecard – 545 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 2531
545
CVEs
148
Critical
188
High
3
KEV
17
PoC
298
Unpatched C/H
23.7%
Patch Rate
0.2%
Avg EPSS

Severity Breakdown

CRITICAL
148
HIGH
188
MEDIUM
179
LOW
29

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-35273 Remote takeover of Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 is possible through the Updates Environment Management component via unauthenticated HTTP requests. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network-based exploitation against any internet- or intranet-exposed instance, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but Oracle's 'easily exploitable' language and the unauthenticated nature make this a high-priority patching target. CRITICAL 9.8 0.0% 124
KEV PoC No patch
CVE-2026-46817 Remote takeover of Oracle Payments in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible via the File Transmission component, allowing unauthenticated network-based attackers to fully compromise confidentiality, integrity, and availability (CVSS 9.8). The flaw is described by Oracle as easily exploitable over HTTP with no user interaction, and no public exploit identified at time of analysis. Tagged as Information Disclosure and listed in Oracle's May 2026 Critical Patch Update advisory. CRITICAL 9.8 0.0% 119
KEV PoC No patch
CVE-2026-55255 Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing the victim's flow UUID as the `model` value to the `/api/v1/responses` endpoint, exposing data the victim's flow processes and consuming their resources. The flaw is an Insecure Direct Object Reference (CWE-639) in the `get_flow_by_id_or_endpoint_name` helper, which skipped ownership checks on the UUID lookup path. Publicly available exploit code exists (a working curl PoC), and the input lists it as confirmed actively exploited (CISA KEV), though the SSVC exploitation status of 'poc' and a low 0.24% EPSS complicate that claim (see risk_assessment). HIGH 8.4 0.2% 112
KEV PoC
CVE-2026-21992 A critical authentication bypass vulnerability in Oracle Identity Manager and Oracle Web Services Manager allows remote attackers to completely compromise affected systems without any credentials. The vulnerability resides in the REST WebServices and Web Services Security components, affecting versions 12.2.1.4.0 and 14.1.2.1.0 of both products. With a CVSS score of 9.8 and no authentication required, this represents a severe risk to identity management infrastructure, though no current KEV listing or public POC has been documented in available sources. CRITICAL 9.8 0.0% 69
PoC No patch
CVE-2026-33439 Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue CRITICAL 9.3 0.1% 67
PoC
CVE-2026-49952 Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to access database backup and restore functionality exposed by dbbak.php. The flaw stems from a shared cryptographic key (CWE-323) between UCenter integration and the backup API, which lets an attacker abuse an encryption oracle in logging_ctl::logging_more() to mint legitimately signed authorization tokens, and chain a race condition to impersonate arbitrary users. Publicly available exploit code exists and an upstream fix has been published on Gitee. CRITICAL 9.3 0.4% 66
PoC
CVE-2026-29146 Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.115, 10.0.0-M1-10.1.52, and 11.0.0-M1-11.0.18 when default configuration is deployed. Unauthenticated remote attackers exploit oracle responses to decrypt sensitive information without authentication (CVSS:3.1 AV:N/AC:L/PR:N). CWE-209 (information exposure through error messages) enables cryptographic side-channel extraction. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%). HIGH 7.5 0.0% 58
PoC
CVE-2019-25653 Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available. MEDIUM 6.9 0.0% 55
PoC No patch
CVE-2026-28490 Authlib's implementation of the JWE RSA1_5 key management algorithm contains a padding oracle vulnerability that leaks decryption failures through timing and exception patterns, allowing attackers to decrypt sensitive data without the private key. The library disabled the constant-time protections provided by the underlying cryptography library and raises exceptions before tag validation completes, creating a reliable side-channel. Public exploit code exists for this vulnerability affecting Authlib users in Python and related Oracle products. MEDIUM 6.5 0.0% 53
PoC
CVE-2026-35292 Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network attackers to fully compromise the server over HTTP with no user interaction, earning the maximum CVSS 10.0 due to a scope change that can impact adjacent products. Oracle's June 2026 Critical Patch Update is the sole intelligence source; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. CRITICAL 10.0 0.5% 51
No patch
CVE-2026-35301 Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an unauthenticated network attacker to fully compromise the server with a scope change that impacts adjacent products. The CVSS 3.1 base score of 10.0 reflects the worst-case combination of network reachability, low complexity, no privileges, and full CIA impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. CRITICAL 10.0 0.5% 51
No patch
CVE-2026-35307 Remote takeover of Oracle Coherence is possible via HTTP by an unauthenticated network attacker, affecting Oracle Fusion Middleware versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries the maximum CVSS 3.1 base score of 10.0 with scope change, meaning successful exploitation can pivot impact into other products that rely on the Coherence cluster. No public exploit identified at time of analysis, but the trivial attack complexity and Oracle's critical scoring make this a top-priority patch item. CRITICAL 10.0 0.5% 51
No patch
CVE-2026-35308 Remote takeover of Oracle Coherence (Fusion Middleware) via the Centralized Third Party Jars component allows an unauthenticated network attacker over HTTP to fully compromise affected deployments, with scope change permitting impact on additional connected products. Supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 carry a maximum CVSS 3.1 base score of 10.0 across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. CRITICAL 10.0 0.5% 51
No patch
CVE-2026-46846 Complete takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by unauthenticated remote attackers via crafted HTTP requests to the Security Framework component, with CVSS 10.0 reflecting a scope change that lets the compromise extend beyond WebCenter into adjacent Fusion Middleware products. No public exploit identified at time of analysis, but the combination of network attack vector, low complexity, no privileges, no user interaction, and Oracle's own 'easily exploitable' wording makes this a top-priority patching event. Vendor-released patch is available via the Oracle Critical Patch Update of June 2026 (CPUJUN2026). CRITICAL 10.0 0.5% 51
No patch
CVE-2026-46803 Unauthenticated remote takeover of Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP via a flaw in the Security Framework component, with a scope change extending impact to additional Oracle Fusion Middleware products. The maximum CVSS 3.1 score of 10.0 reflects network-reachable exploitation with no authentication or user interaction and full confidentiality, integrity, and availability loss; no public exploit identified at time of analysis, but the trivial attack profile makes this a top-priority patch. CRITICAL 10.0 0.5% 51
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy