445
CVEs
143
Critical
157
High
3
KEV
10
PoC
273
Unpatched C/H
20.9%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
143
HIGH
157
MEDIUM
122
LOW
22
Monthly CVE Trend
Affected Products (30)
MySQL
1171
Java
889
Jre
721
Jdk
714
Oncommand Insight
692
Oncommand Workflow Automation
527
Ubuntu Linux
454
Active Iq Unified Manager
452
Snapcenter
445
Debian Linux
410
Vm Virtualbox
374
MariaDB
322
Enterprise Linux Server Aus
299
Enterprise Linux Eus
288
Enterprise Linux Desktop
279
Enterprise Linux Workstation
279
Solaris
279
Enterprise Linux Server
279
Fedora
270
Enterprise Linux Server Tus
269
Fusion Middleware
241
Peoplesoft Enterprise Peopletools
212
Weblogic Server
198
Database Server
192
Mysql Server
185
Leap
183
E Business Suite
177
Outside In Technology
165
Enterprise Linux
163
E Series Santricity Os Controller
150
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-35273 | Remote takeover of Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 is possible through the Updates Environment Management component via unauthenticated HTTP requests. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network-based exploitation against any internet- or intranet-exposed instance, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but Oracle's 'easily exploitable' language and the unauthenticated nature make this a high-priority patching target. | CRITICAL | 9.8 | 0.0% | 124 |
KEV
PoC
No patch
|
| CVE-2026-46817 | Remote takeover of Oracle Payments in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible via the File Transmission component, allowing unauthenticated network-based attackers to fully compromise confidentiality, integrity, and availability (CVSS 9.8). The flaw is described by Oracle as easily exploitable over HTTP with no user interaction, and no public exploit identified at time of analysis. Tagged as Information Disclosure and listed in Oracle's May 2026 Critical Patch Update advisory. | CRITICAL | 9.8 | 0.0% | 119 |
KEV
PoC
No patch
|
| CVE-2026-55255 | Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing the victim's flow UUID as the `model` value to the `/api/v1/responses` endpoint, exposing data the victim's flow processes and consuming their resources. The flaw is an Insecure Direct Object Reference (CWE-639) in the `get_flow_by_id_or_endpoint_name` helper, which skipped ownership checks on the UUID lookup path. Publicly available exploit code exists (a working curl PoC), and the input lists it as confirmed actively exploited (CISA KEV), though the SSVC exploitation status of 'poc' and a low 0.24% EPSS complicate that claim (see risk_assessment). | HIGH | 8.4 | 0.2% | 112 |
KEV
PoC
|
| CVE-2026-49952 | Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to access database backup and restore functionality exposed by dbbak.php. The flaw stems from a shared cryptographic key (CWE-323) between UCenter integration and the backup API, which lets an attacker abuse an encryption oracle in logging_ctl::logging_more() to mint legitimately signed authorization tokens, and chain a race condition to impersonate arbitrary users. Publicly available exploit code exists and an upstream fix has been published on Gitee. | CRITICAL | 9.3 | 0.4% | 66 |
PoC
|
| CVE-2026-46846 | Complete takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by unauthenticated remote attackers via crafted HTTP requests to the Security Framework component, with CVSS 10.0 reflecting a scope change that lets the compromise extend beyond WebCenter into adjacent Fusion Middleware products. No public exploit identified at time of analysis, but the combination of network attack vector, low complexity, no privileges, no user interaction, and Oracle's own 'easily exploitable' wording makes this a top-priority patching event. Vendor-released patch is available via the Oracle Critical Patch Update of June 2026 (CPUJUN2026). | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-46803 | Unauthenticated remote takeover of Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP via a flaw in the Security Framework component, with a scope change extending impact to additional Oracle Fusion Middleware products. The maximum CVSS 3.1 score of 10.0 reflects network-reachable exploitation with no authentication or user interaction and full confidentiality, integrity, and availability loss; no public exploit identified at time of analysis, but the trivial attack profile makes this a top-priority patch. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-46781 | Remote unauthenticated takeover of Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0 is possible via the RMI-based Client Bundle component, with a maximum CVSS 3.1 score of 10.0 due to a scope change that impacts additional products. Oracle's June 2026 CPU advisory is the authoritative source, and no public exploit identified at time of analysis, though the AV:N/AC:L/PR:N/UI:N profile makes weaponization plausible once technical details emerge. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-46778 | Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible via the Client Bundle component over RMI, allowing unauthenticated network attackers to fully compromise the product and pivot into other Fusion Middleware components due to a CVSS scope change. With a maximum 10.0 CVSS score, low attack complexity, and no privileges or user interaction required, this is a top-priority issue, though no public exploit identified at time of analysis. Oracle disclosed the issue in its June 2026 Critical Patch Update. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-35292 | Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network attackers to fully compromise the server over HTTP with no user interaction, earning the maximum CVSS 10.0 due to a scope change that can impact adjacent products. Oracle's June 2026 Critical Patch Update is the sole intelligence source; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-35301 | Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an unauthenticated network attacker to fully compromise the server with a scope change that impacts adjacent products. The CVSS 3.1 base score of 10.0 reflects the worst-case combination of network reachability, low complexity, no privileges, and full CIA impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-35307 | Remote takeover of Oracle Coherence is possible via HTTP by an unauthenticated network attacker, affecting Oracle Fusion Middleware versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries the maximum CVSS 3.1 base score of 10.0 with scope change, meaning successful exploitation can pivot impact into other products that rely on the Coherence cluster. No public exploit identified at time of analysis, but the trivial attack complexity and Oracle's critical scoring make this a top-priority patch item. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-35308 | Remote takeover of Oracle Coherence (Fusion Middleware) via the Centralized Third Party Jars component allows an unauthenticated network attacker over HTTP to fully compromise affected deployments, with scope change permitting impact on additional connected products. Supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 carry a maximum CVSS 3.1 base score of 10.0 across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. | CRITICAL | 10.0 | 0.5% | 51 |
No patch
|
| CVE-2026-46978 | Unauthenticated remote compromise of Oracle Solaris 11.4 Remote Administration Daemon (RAD) allows network attackers to read, modify, create, or delete critical data with scope change impacting adjacent products. The CVSS 3.1 base score of 10.0 with AV:N/AC:L/PR:N/UI:N reflects trivial network exploitability over HTTPS without authentication, and no public exploit identified at time of analysis. The scope-change designation indicates that successful exploitation breaches the security authority of RAD and propagates impact to other Solaris-managed components. | CRITICAL | 10.0 | 0.4% | 50 |
No patch
|
| CVE-2026-46840 | Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to compromise the service over HTTPS and pivot into adjacent products due to a scope-changing flaw. With a maximum CVSS 10.0 score and trivial exploitability (AV:N/AC:L/PR:N/UI:N), this Backend-as-a-Service component vulnerability poses critical risk, though no public exploit identified at time of analysis and no EPSS or CISA KEV signal has been provided in the available data. | CRITICAL | 10.0 | 0.0% | 50 |
No patch
|
| CVE-2026-46800 | Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with a maximum CVSS 3.1 base score of 10.0 and a scope change indicating impact beyond the WebCenter Sites boundary. Oracle's June 2026 Critical Patch Update advisory (cspujun2026) lists the issue as easily exploitable with no privileges or user interaction required. There is no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV. | CRITICAL | 10.0 | 0.5% | 50 |
No patch
|