147
CVEs
10
Critical
38
High
0
KEV
2
PoC
30
Unpatched C/H
28.6%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
10
HIGH
38
MEDIUM
88
LOW
11
Monthly CVE Trend
Affected Products (30)
MySQL
70
Mysql Server
66
Java
38
Vm Virtualbox
19
Jd Edwards Enterpriseone Tools
18
Virtualbox
14
Mysql Cluster
11
MSSQL
11
Python
8
Graalvm For Jdk
7
Docker
7
Jdk
7
Solaris
7
Jre
7
Peoplesoft Enterprise Peopletools
6
Graalvm
6
Node.js
5
PHP
5
Communications Order And Service Management
4
Agile Product Lifecycle Management
4
E Business Suite
4
Linux Kernel
4
PostgreSQL
4
Application Object Library
3
Java Virtual Machine
3
Life Sciences Central Designer
3
Configurator
3
Hospitality Opera 5
3
Active Iq Unified Manager
3
Peoplesoft Enterprise Cc Common Application Objects
3
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-21992 | A critical authentication bypass vulnerability in Oracle Identity Manager and Oracle Web Services Manager allows remote attackers to completely compromise affected systems without any credentials. The vulnerability resides in the REST WebServices and Web Services Security components, affecting versions 12.2.1.4.0 and 14.1.2.1.0 of both products. With a CVSS score of 9.8 and no authentication required, this represents a severe risk to identity management infrastructure, though no current KEV listing or public POC has been documented in available sources. | CRITICAL | 9.8 | 0.0% | 69 |
PoC
No patch
|
| CVE-2026-28490 | Authlib's implementation of the JWE RSA1_5 key management algorithm contains a padding oracle vulnerability that leaks decryption failures through timing and exception patterns, allowing attackers to decrypt sensitive data without the private key. The library disabled the constant-time protections provided by the underlying cryptography library and raises exceptions before tag validation completes, creating a reliable side-channel. Public exploit code exists for this vulnerability affecting Authlib users in Python and related Oracle products. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
|
| CVE-2026-21994 | This is a critical unauthenticated remote code execution vulnerability in Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit version 0.3.0. An attacker with network access via HTTP can completely take over the affected system without any authentication, privileges, or user interaction required. The CVSS score of 9.8 reflects maximum impact across confidentiality, integrity, and availability. There is no evidence of active exploitation (not in CISA KEV), and no proof-of-concept code has been publicly identified in the available intelligence. | CRITICAL | 9.8 | 0.0% | 49 |
No patch
|
| CVE-2026-34275 | Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: Setup and Administration). Supported versions t | CRITICAL | 9.8 | 0.0% | 49 |
No patch
|
| CVE-2026-29080 | SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects. | CRITICAL | 9.4 | 0.1% | 47 |
|
| CVE-2026-33439 | Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue | CRITICAL | 9.3 | 0.1% | 47 |
|
| CVE-2026-27886 | Boolean-oracle information disclosure in Strapi Content API allows remote unauthenticated attackers to extract admin password-reset tokens and achieve full administrative account takeover. Strapi versions 4.0.0 through 5.36.1 fail to sanitize relational query parameters on public content-type endpoints. By crafting `where` filters that traverse into joined `admin_users` table columns (e.g., `where[updatedBy][resetPasswordToken][$startsWith]=a`), attackers perform character-by-character oracle attacks against private admin fields, then use the extracted reset token to hijack administrator accounts. WildWest CyberSecurity reports this critical vulnerability with CVSS 9.3, affecting all Strapi deployments with public content-types containing admin-relation fields (`updatedBy`, `createdBy`, `publishedBy`). Vendor-released patch available in version 5.37.0. No active exploitation or public POC identified at time of analysis. | CRITICAL | 9.2 | 0.1% | 46 |
|
| CVE-2026-34279 | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions t | CRITICAL | 9.1 | 0.0% | 46 |
No patch
|
| CVE-2026-34285 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected | CRITICAL | 9.1 | 0.0% | 46 |
No patch
|
| CVE-2026-34286 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected | CRITICAL | 9.1 | 0.0% | 46 |
No patch
|
| CVE-2026-34287 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected | CRITICAL | 9.1 | 0.0% | 46 |
No patch
|
| CVE-2026-43937 | Authorization bypass in YAFNET forum software (versions ≤4.0.4) allows any low-privileged authenticated user to execute arbitrary SQL commands against the backend database. The flaw stems from a misplaced ASP.NET Core filter (`PageSecurityCheckAttribute`) that validates admin privileges *after* page handlers execute, enabling attackers to inject SQL via the `/Admin/RunSql` endpoint before the 302 redirect occurs. Publicly available exploit code exists (GitHub advisory GHSA-xhw7-j96h-c3g5) demonstrating time-based blind SQL injection to extract `@@VERSION` and manipulate identity tables. CVSS 8.8 (AV:N/AC:L/PR:L) reflects network-accessible exploitation requiring only a standard forum account-trivially obtained via self-registration on most deployments. Vendor-released patch available in version 4.0.5. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2026-35228 | SQL injection in Oracle MCP Server Helper Tool 1.0.1-1.0.156 allows low-privileged authenticated attackers to execute malicious SQL queries with high confidentiality and integrity impact across security boundaries. The vulnerability requires network access via HTTP and user interaction, affecting the helper tool component. With CVSS 8.7 and easily exploitable characteristics (AC:L), this represents significant risk for organizations running affected versions, though no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. The changed scope (S:C) indicates potential impact beyond the vulnerable component itself. | HIGH | 8.7 | 0.1% | 44 |
No patch
|
| CVE-2026-34291 | Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 an | HIGH | 8.7 | 0.0% | 44 |
No patch
|
| CVE-2026-42449 | Server-Side Request Forgery (SSRF) in n8n-mcp SDK allows authenticated remote attackers to access cloud metadata endpoints and internal network resources via IPv4-mapped IPv6 address bypass. Versions 2.47.4 through 2.47.13 fail to validate IPv6 addresses in the synchronous URL validator (SSRFProtection.validateUrlSync()), enabling attackers who control the n8nApiUrl parameter to bypass RFC1918, localhost, and cloud metadata protections using addresses like [::ffff:169.254.169.254]. The vulnerability is non-blind SSRF returning response bodies to the attacker, and forwards the n8nApiKey in the x-n8n-api-key header to attacker-controlled targets. Confirmed actively exploited (CISA KEV). Vendor-released patch: version 2.47.14. EPSS exploitation probability not provided but risk is elevated given KEV status and availability of exploit code in the GitHub advisory. | HIGH | 8.5 | 0.0% | 43 |
|