83
CVEs
5
Critical
25
High
0
KEV
2
PoC
22
Unpatched C/H
34.9%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
5
HIGH
25
MEDIUM
49
LOW
4
Monthly CVE Trend
Affected Products (30)
MySQL
70
Mysql Server
66
Vm Virtualbox
19
Jd Edwards Enterpriseone Tools
18
Java
16
Virtualbox
14
Mysql Cluster
11
Mssql
11
Jre
8
Graalvm For Jdk
8
Jdk
8
Solaris
7
Graalvm
7
Peoplesoft Enterprise Peopletools
6
E Business Suite
4
Communications Order And Service Management
4
Docker
4
Python
4
Agile Product Lifecycle Management
4
Linux Kernel
4
Application Object Library
3
Life Sciences Central Designer
3
Active Iq Unified Manager
3
PHP
3
Peoplesoft Enterprise Cc Common Application Objects
3
Primavera P6 Enterprise Project Portfolio Management
3
Hospitality Opera 5
3
Node.js
3
Java Virtual Machine
3
Configurator
3
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-21992 | A critical authentication bypass vulnerability in Oracle Identity Manager and Oracle Web Services Manager allows remote attackers to completely compromise affected systems without any credentials. The vulnerability resides in the REST WebServices and Web Services Security components, affecting versions 12.2.1.4.0 and 14.1.2.1.0 of both products. With a CVSS score of 9.8 and no authentication required, this represents a severe risk to identity management infrastructure, though no current KEV listing or public POC has been documented in available sources. | CRITICAL | 9.8 | 0.0% | 69 |
PoC
No patch
|
| CVE-2026-28490 | Authlib's implementation of the JWE RSA1_5 key management algorithm contains a padding oracle vulnerability that leaks decryption failures through timing and exception patterns, allowing attackers to decrypt sensitive data without the private key. The library disabled the constant-time protections provided by the underlying cryptography library and raises exceptions before tag validation completes, creating a reliable side-channel. Public exploit code exists for this vulnerability affecting Authlib users in Python and related Oracle products. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
|
| CVE-2026-21962 | Oracle HTTP Server and WebLogic Server Proxy Plug-in have a CVSS 10.0 access control vulnerability allowing unauthenticated network attackers to fully compromise the middleware layer. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-21969 | Oracle Agile PLM for Process has a CVSS 9.8 vulnerability in the Supply Chain Sourcing component that allows unauthenticated remote attackers to fully compromise the system. | CRITICAL | 9.8 | 0.2% | 49 |
No patch
|
| CVE-2026-21994 | This is a critical unauthenticated remote code execution vulnerability in Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0. An attacker with network access via HTTP can completely take over the affected system without any authentication, privileges, or user interaction required. The CVSS score of 9.8 reflects maximum impact across confidentiality, integrity, and availability. There is no evidence of active exploitation (not in CISA KEV), and no proof-of-concept code has been publicly identified in the available intelligence. | CRITICAL | 9.8 | 0.0% | 49 |
No patch
|
| CVE-2026-33439 | Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQueue→TemplatesImpl gadget chain with libraries bundled in OpenAM's WAR file. Vendor-released patch available in version 16.0.6 (GitHub commit 014007c). No public exploit code identified at time of analysis, but detailed technical writeup with gadget chain specifics has been published. | CRITICAL | 9.3 | 0.1% | 47 |
|
| CVE-2026-21967 | Hospitality Opera 5 versions up to 5.6.19.23 contains a vulnerability that allows attackers to unauthorized access to critical data or complete access to all Oracle Hospitalit (CVSS 8.6). | HIGH | 8.6 | 0.1% | 43 |
No patch
|
| CVE-2026-39974 | Server-Side Request Forgery in n8n-mcp (npm package) versions ≤2.47.3 allows authenticated attackers with valid AUTH_TOKEN to force the server to issue HTTP requests to arbitrary URLs via manipulated multi-tenant HTTP headers (x-n8n-url, x-n8n-key). Response bodies are reflected through JSON-RPC, enabling unauthorized access to cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Oracle, Alibaba), internal network services, and any host reachable by the server process. Multi-tenant HTTP deployments with shared or multiple AUTH_TOKENs are at highest risk. No public exploit identified at time of analysis. | HIGH | 8.5 | 0.0% | 42 |
|
| CVE-2026-21955 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 8.2 HIGH] | HIGH | 8.2 | 0.0% | 41 |
No patch
|
| CVE-2026-21956 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 8.2 HIGH] | HIGH | 8.2 | 0.0% | 41 |
No patch
|
| CVE-2026-21987 | Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to takeover of Oracle VM VirtualBox (CVSS 8.2). | HIGH | 8.2 | 0.0% | 41 |
No patch
|
| CVE-2026-21988 | Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to takeover of Oracle VM VirtualBox (CVSS 8.2). | HIGH | 8.2 | 0.0% | 41 |
No patch
|
| CVE-2026-21990 | Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to takeover of Oracle VM VirtualBox (CVSS 8.2). | HIGH | 8.2 | 0.0% | 41 |
No patch
|
| CVE-2026-21973 | Flexcube Investor Servicing versions up to 14.5.0.15.0 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 8.1). | HIGH | 8.1 | 0.1% | 41 |
No patch
|
| CVE-2026-21989 | Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 8.1). | HIGH | 8.1 | 0.0% | 41 |
No patch
|