Skip to main content

Oracle

Vendor security scorecard – 147 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 279
147
CVEs
10
Critical
38
High
0
KEV
2
PoC
30
Unpatched C/H
28.6%
Patch Rate
0.0%
Avg EPSS

Severity Breakdown

CRITICAL
10
HIGH
38
MEDIUM
88
LOW
11

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-21992 A critical authentication bypass vulnerability in Oracle Identity Manager and Oracle Web Services Manager allows remote attackers to completely compromise affected systems without any credentials. The vulnerability resides in the REST WebServices and Web Services Security components, affecting versions 12.2.1.4.0 and 14.1.2.1.0 of both products. With a CVSS score of 9.8 and no authentication required, this represents a severe risk to identity management infrastructure, though no current KEV listing or public POC has been documented in available sources. CRITICAL 9.8 0.0% 69
PoC No patch
CVE-2026-28490 Authlib's implementation of the JWE RSA1_5 key management algorithm contains a padding oracle vulnerability that leaks decryption failures through timing and exception patterns, allowing attackers to decrypt sensitive data without the private key. The library disabled the constant-time protections provided by the underlying cryptography library and raises exceptions before tag validation completes, creating a reliable side-channel. Public exploit code exists for this vulnerability affecting Authlib users in Python and related Oracle products. MEDIUM 6.5 0.0% 53
PoC
CVE-2026-21994 This is a critical unauthenticated remote code execution vulnerability in Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0. An attacker with network access via HTTP can completely take over the affected system without any authentication, privileges, or user interaction required. The CVSS score of 9.8 reflects maximum impact across confidentiality, integrity, and availability. There is no evidence of active exploitation (not in CISA KEV), and no proof-of-concept code has been publicly identified in the available intelligence. CRITICAL 9.8 0.0% 49
No patch
CVE-2026-34275 Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: Setup and Administration). Supported versions t CRITICAL 9.8 0.0% 49
No patch
CVE-2026-29080 SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects. CRITICAL 9.4 0.1% 47
CVE-2026-33439 Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue CRITICAL 9.3 0.1% 47
CVE-2026-27886 Boolean-oracle information disclosure in Strapi Content API allows remote unauthenticated attackers to extract admin password-reset tokens and achieve full administrative account takeover. Strapi versions 4.0.0 through 5.36.1 fail to sanitize relational query parameters on public content-type endpoints. By crafting `where` filters that traverse into joined `admin_users` table columns (e.g., `where[updatedBy][resetPasswordToken][$startsWith]=a`), attackers perform character-by-character oracle attacks against private admin fields, then use the extracted reset token to hijack administrator accounts. WildWest CyberSecurity reports this critical vulnerability with CVSS 9.3, affecting all Strapi deployments with public content-types containing admin-relation fields (`updatedBy`, `createdBy`, `publishedBy`). Vendor-released patch available in version 5.37.0. No active exploitation or public POC identified at time of analysis. CRITICAL 9.2 0.1% 46
CVE-2026-34279 Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions t CRITICAL 9.1 0.0% 46
No patch
CVE-2026-34285 Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected CRITICAL 9.1 0.0% 46
No patch
CVE-2026-34286 Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected CRITICAL 9.1 0.0% 46
No patch
CVE-2026-34287 Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected CRITICAL 9.1 0.0% 46
No patch
CVE-2026-43937 Authorization bypass in YAFNET forum software (versions ≤4.0.4) allows any low-privileged authenticated user to execute arbitrary SQL commands against the backend database. The flaw stems from a misplaced ASP.NET Core filter (`PageSecurityCheckAttribute`) that validates admin privileges *after* page handlers execute, enabling attackers to inject SQL via the `/Admin/RunSql` endpoint before the 302 redirect occurs. Publicly available exploit code exists (GitHub advisory GHSA-xhw7-j96h-c3g5) demonstrating time-based blind SQL injection to extract `@@VERSION` and manipulate identity tables. CVSS 8.8 (AV:N/AC:L/PR:L) reflects network-accessible exploitation requiring only a standard forum account-trivially obtained via self-registration on most deployments. Vendor-released patch available in version 4.0.5. HIGH 8.8 0.1% 44
CVE-2026-35228 SQL injection in Oracle MCP Server Helper Tool 1.0.1-1.0.156 allows low-privileged authenticated attackers to execute malicious SQL queries with high confidentiality and integrity impact across security boundaries. The vulnerability requires network access via HTTP and user interaction, affecting the helper tool component. With CVSS 8.7 and easily exploitable characteristics (AC:L), this represents significant risk for organizations running affected versions, though no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. The changed scope (S:C) indicates potential impact beyond the vulnerable component itself. HIGH 8.7 0.1% 44
No patch
CVE-2026-34291 Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 an HIGH 8.7 0.0% 44
No patch
CVE-2026-42449 Server-Side Request Forgery (SSRF) in n8n-mcp SDK allows authenticated remote attackers to access cloud metadata endpoints and internal network resources via IPv4-mapped IPv6 address bypass. Versions 2.47.4 through 2.47.13 fail to validate IPv6 addresses in the synchronous URL validator (SSRFProtection.validateUrlSync()), enabling attackers who control the n8nApiUrl parameter to bypass RFC1918, localhost, and cloud metadata protections using addresses like [::ffff:169.254.169.254]. The vulnerability is non-blind SSRF returning response bodies to the attacker, and forwards the n8nApiKey in the x-n8n-api-key header to attacker-controlled targets. Confirmed actively exploited (CISA KEV). Vendor-released patch: version 2.47.14. EPSS exploitation probability not provided but risk is elevated given KEV status and availability of exploit code in the GitHub advisory. HIGH 8.5 0.0% 43

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy