{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Oracle. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp" } }, "lang": "en", "publisher": { "category": "vendor", "name": "Oracle", "namespace": "https://www.oracle.com" }, "references": [ { "summary": "URL to html version of Advisory", "url": "https://www.oracle.com/security-alerts/cspumay2026.html" }, { "category": "self", "summary": "URL to CSAF version of Advisory", "url": "https://www.oracle.com/docs/tech/security-alerts/cspumay2026csaf.json" } ], "title": "Oracle Critical Security Patch Update Advisory - May 2026 - Oracle CSAF", "tracking": { "current_release_date": "2026-05-28T13:00:00-07:00", "id": "CPUMay2026csaf", "initial_release_date": "2026-05-28T13:00:00-07:00", "revision_history": [ { "date": "2026-05-28T13:00:00-07:00", "number": "1", "summary": "Initial Release" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "Oracle Communications Unified Assurance Version 6.1.1-7.0.0", "product": { "name": "Oracle Communications Unified Assurance Version 6.1.1-7.0.0", "product_id": "P-14597V-6.1.1-7.0.0", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:communications_unified_assurance:6.1.1-7.0.0:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle Communications Unified Assurance" } ], "category": "product_family", "name": "Oracle Communications" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "Oracle Database Server(Net Service) Version 23.4.0-23.26.2", "product": { "name": "Oracle Database Server(Net Service) Version 23.4.0-23.26.2", "product_id": "P-5(Net Service)V-23.4.0-23.26.2", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:database_-_net_service:23.4.0-23.26.2:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle Database Server" } ], "category": "product_family", "name": "Oracle Database Server" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "Oracle Financials Common Modules Version 12.2.3-12.2.15", "product": { "name": "Oracle Financials Common Modules Version 12.2.3-12.2.15", "product_id": "P-1320V-12.2.3-12.2.15", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:financials_common_modules:12.2.3-12.2.15:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle Financials Common Modules" }, { "branches": [ { "category": "product_version_range", "name": "Oracle Flow Manufacturing Version 12.2.9-12.2.15", "product": { "name": "Oracle Flow Manufacturing Version 12.2.9-12.2.15", "product_id": "P-300V-12.2.9-12.2.15", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:flow_manufacturing:12.2.9-12.2.15:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle Flow Manufacturing" }, { "branches": [ { "category": "product_version_range", "name": "Oracle Internet Procurement Connector Version 12.2.3-12.2.15", "product": { "name": "Oracle Internet Procurement Connector Version 12.2.3-12.2.15", "product_id": "P-1029V-12.2.3-12.2.15", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:internet_procurement_connector:12.2.3-12.2.15:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle Internet Procurement Connector" }, { "branches": [ { "category": "product_version_range", "name": "Oracle Payments Version 12.2.3-12.2.15", "product": { "name": "Oracle Payments Version 12.2.3-12.2.15", "product_id": "P-378V-12.2.3-12.2.15", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:payments:12.2.3-12.2.15:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle Payments" }, { "branches": [ { "category": "product_version_range", "name": "Oracle Payroll Version 12.2.3-12.2.15", "product": { "name": "Oracle Payroll Version 12.2.3-12.2.15", "product_id": "P-506V-12.2.3-12.2.15", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:payroll:12.2.3-12.2.15:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle Payroll" }, { "branches": [ { "category": "product_version_range", "name": "Oracle Public Sector Financials (International) Version 12.2.6-12.2.15", "product": { "name": "Oracle Public Sector Financials (International) Version 12.2.6-12.2.15", "product_id": "P-26V-12.2.6-12.2.15", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:public_sector_financials:12.2.6-12.2.15:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle Public Sector Financials (International)" }, { "branches": [ { "category": "product_version_range", "name": "Oracle Universal Work Queue Version 12.2.3-12.2.15", "product": { "name": "Oracle Universal Work Queue Version 12.2.3-12.2.15", "product_id": "P-778V-12.2.3-12.2.15", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:universal_work_queue:12.2.3-12.2.15:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle Universal Work Queue" }, { "branches": [ { "category": "product_version_range", "name": "Oracle iAssets Version 12.2.3-12.2.15", "product": { "name": "Oracle iAssets Version 12.2.3-12.2.15", "product_id": "P-1391V-12.2.3-12.2.15", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:iassets:12.2.3-12.2.15:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle iAssets" } ], "category": "product_family", "name": "Oracle E-Business Suite" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "Oracle Hospitality OPERA 5 Property Services Version 5.6.19.24", "product": { "name": "Oracle Hospitality OPERA 5 Property Services Version 5.6.19.24", "product_id": "P-11580V-5.6.19.24", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.19.24:*:*:*:*:*:*:*" } } }, { "category": "product_version", "name": "Oracle Hospitality OPERA 5 Property Services Version 5.6.22", "product": { "name": "Oracle Hospitality OPERA 5 Property Services Version 5.6.22", "product_id": "P-11580V-5.6.22", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.22:*:*:*:*:*:*:*" } } }, { "category": "product_version", "name": "Oracle Hospitality OPERA 5 Property Services Version 5.6.25.19", "product": { "name": "Oracle Hospitality OPERA 5 Property Services Version 5.6.25.19", "product_id": "P-11580V-5.6.25.19", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.25.19:*:*:*:*:*:*:*" } } }, { "category": "product_version", "name": "Oracle Hospitality OPERA 5 Property Services Version 5.6.27.6", "product": { "name": "Oracle Hospitality OPERA 5 Property Services Version 5.6.27.6", "product_id": "P-11580V-5.6.27.6", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.27.6:*:*:*:*:*:*:*" } } }, { "category": "product_version", "name": "Oracle Hospitality OPERA 5 Property Services Version 5.6.28", "product": { "name": "Oracle Hospitality OPERA 5 Property Services Version 5.6.28", "product_id": "P-11580V-5.6.28", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.28:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle Hospitality OPERA 5 Property Services" } ], "category": "product_family", "name": "Oracle Hospitality Applications" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "Oracle REST Data Services Version 24.2.0-26.1.0", "product": { "name": "Oracle REST Data Services Version 24.2.0-26.1.0", "product_id": "P-9456V-24.2.0-26.1.0", "product_identification_helper": { "cpe": "cpe:2.3:a:oracle:rest_data_services:24.2.0-26.1.0:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Oracle REST Data Services" } ], "category": "product_family", "name": "Oracle REST Data Services" } ], "category": "vendor", "name": "Oracle" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-13465", "flags": [ { "date": "2026-05-28T13:00:00-07:00", "label": "vulnerable_code_not_in_execute_path", "product_ids": [ "P-9456V-24.2.0-26.1.0" ] } ], "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39254336" } ], "notes": [ { "category": "description", "text": "Security-in-Depth issue in Oracle REST Data Services (component: Core (Lodash)). This vulnerability cannot be exploited in the context of this product.", "title": "Vulnerability Description" } ], "product_status": { "known_not_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 0.0, "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ], "threats": [ { "category": "impact", "date": "2026-05-28T13:00:00-07:00", "details": "The affected code is not reachable through the execution of the code, including non-anticipated states of the product. Components that are neither used nor executed by the product.", "product_ids": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "cve": "CVE-2025-14017", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2025-15467", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ], "scores": [ { "cvss_v3": { "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-14597V-6.1.1-7.0.0" ] } ] }, { "cve": "CVE-2025-58050", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39105090" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (PCRE2)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 8.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1" }, "products": [ "P-14597V-6.1.1-7.0.0" ] } ] }, { "cve": "CVE-2026-21998", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-22001", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-22002", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-22004", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-22005", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-22009", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-22015", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-22017", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-2332", "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39233009" } ], "notes": [ { "category": "description", "text": "Vulnerability in Oracle REST Data Services (component: Core (Eclipse Jetty)). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "cve": "CVE-2026-23918", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39359987" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache HTTP Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-24072", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39359987" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache HTTP Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-24281", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39225825" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache ZooKeeper)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-24308", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39225825" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache ZooKeeper)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "P-14597V-6.1.1-7.0.0" ] } ] }, { "cve": "CVE-2026-25646", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "38965336" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (libpng)). Supported versions that are affected are 6.1.1-7.0.0. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 6.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ], "scores": [ { "cvss_v3": { "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-14597V-6.1.1-7.0.0" ] } ] }, { "cve": "CVE-2026-28780", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39359987" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache HTTP Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-29145", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39261460" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache Tomcat)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-29168", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39359987" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache HTTP Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-29169", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39359987" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache HTTP Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-2950", "flags": [ { "date": "2026-05-28T13:00:00-07:00", "label": "vulnerable_code_not_in_execute_path", "product_ids": [ "P-9456V-24.2.0-26.1.0" ] } ], "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39254336" } ], "notes": [ { "category": "description", "text": "Security-in-Depth issue in Oracle REST Data Services (component: Core (Lodash)). This vulnerability cannot be exploited in the context of this product.", "title": "Vulnerability Description" } ], "product_status": { "known_not_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 0.0, "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ], "threats": [ { "category": "impact", "date": "2026-05-28T13:00:00-07:00", "details": "The affected code is not reachable through the execution of the code, including non-anticipated states of the product. Components that are neither used nor executed by the product.", "product_ids": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "cve": "CVE-2026-33006", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39359987" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache HTTP Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-33007", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39359987" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache HTTP Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-33523", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39359987" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache HTTP Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-33557", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39276857" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Message Bus (Apache Kafka)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Unified Assurance accessible data as well as unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ], "scores": [ { "cvss_v3": { "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "P-14597V-6.1.1-7.0.0" ] } ] }, { "cve": "CVE-2026-33857", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39359987" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache HTTP Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-34032", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39359987" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache HTTP Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-34059", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39359987" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache HTTP Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data. CVSS 3.1 Base Score 4.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ], "scores": [ { "cvss_v3": { "baseScore": 4.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "P-14597V-6.1.1-7.0.0" ] } ] }, { "cve": "CVE-2026-34270", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-34271", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-34276", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-34303", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-34304", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-34308", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "acknowledgments": [ { "names": [ "Alex Lee" ], "organization": "PwC HK Darklab" }, { "names": [ "Johnathan Law" ], "organization": "PwC HK Darklab" } ], "cve": "CVE-2026-34311", "ids": [ { "system_name": "Oracle Bug ID of Oracle Hospitality OPERA 5 Property Services", "text": "39052600" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6 and 5.6.28. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-11580V-5.6.22", "P-11580V-5.6.19.24", "P-11580V-5.6.25.19", "P-11580V-5.6.27.6", "P-11580V-5.6.28" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-11580V-5.6.27.6", "P-11580V-5.6.22", "P-11580V-5.6.19.24", "P-11580V-5.6.25.19", "P-11580V-5.6.28" ], "url": "https://support.oracle.com/support/?documentId=CPU163" } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-11580V-5.6.27.6", "P-11580V-5.6.22", "P-11580V-5.6.19.24", "P-11580V-5.6.25.19", "P-11580V-5.6.28" ] } ] }, { "cve": "CVE-2026-34483", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39261460" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache Tomcat)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-34486", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39261460" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache Tomcat)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-34487", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39261460" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache Tomcat)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "P-14597V-6.1.1-7.0.0" ] } ] }, { "cve": "CVE-2026-34500", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39261460" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache Tomcat)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-35236", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-35237", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-35238", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-35239", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-35240", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39278193" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (MySQL Server)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-35266", "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39226520" } ], "notes": [ { "category": "description", "text": "Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 7.9, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "cve": "CVE-2026-35277", "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39226564" } ], "notes": [ { "category": "description", "text": "Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "cve": "CVE-2026-35554", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39276857" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Message Bus (Apache Kafka)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Unified Assurance accessible data as well as unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-40466", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39293310" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Message Bus (Apache ActiveMQ)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-41043", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39293310" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Message Bus (Apache ActiveMQ)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ] }, { "cve": "CVE-2026-41044", "ids": [ { "system_name": "Oracle Bug ID of Oracle Communications Unified Assurance", "text": "39293310" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Message Bus (Apache ActiveMQ)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-14597V-6.1.1-7.0.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-14597V-6.1.1-7.0.0" ], "url": "https://support.oracle.com/support/?documentId=CPU166" } ], "scores": [ { "cvss_v3": { "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-14597V-6.1.1-7.0.0" ] } ] }, { "cve": "CVE-2026-46775", "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39290879" } ], "notes": [ { "category": "description", "text": "Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 9.9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "cve": "CVE-2026-46817", "ids": [ { "system_name": "Oracle Bug ID of Oracle Payments", "text": "39353591" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-378V-12.2.3-12.2.15" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-378V-12.2.3-12.2.15" ], "url": "https://support.oracle.com/support/?documentId=KA923" } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-378V-12.2.3-12.2.15" ] } ] }, { "cve": "CVE-2026-46818", "ids": [ { "system_name": "Oracle Bug ID of Oracle Payments", "text": "39353594" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Payments. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payments accessible data as well as unauthorized access to critical data or complete access to all Oracle Payments accessible data. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-378V-12.2.3-12.2.15" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-378V-12.2.3-12.2.15" ], "url": "https://support.oracle.com/support/?documentId=KA923" } ], "scores": [ { "cvss_v3": { "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "P-378V-12.2.3-12.2.15" ] } ] }, { "cve": "CVE-2026-46819", "ids": [ { "system_name": "Oracle Bug ID of Oracle Internet Procurement Connector", "text": "39354827" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Internet Procurement Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Internet Procurement Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Internet Procurement Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-1029V-12.2.3-12.2.15" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-1029V-12.2.3-12.2.15" ], "url": "https://support.oracle.com/support/?documentId=KA923" } ], "scores": [ { "cvss_v3": { "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "P-1029V-12.2.3-12.2.15" ] } ] }, { "cve": "CVE-2026-46820", "ids": [ { "system_name": "Oracle Bug ID of Oracle Financials Common Modules", "text": "39354839" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data as well as unauthorized update, insert or delete access to some of Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-1320V-12.2.3-12.2.15" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-1320V-12.2.3-12.2.15" ], "url": "https://support.oracle.com/support/?documentId=KA923" } ], "scores": [ { "cvss_v3": { "baseScore": 8.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1" }, "products": [ "P-1320V-12.2.3-12.2.15" ] } ] }, { "cve": "CVE-2026-46821", "ids": [ { "system_name": "Oracle Bug ID of Oracle Financials Common Modules", "text": "39354845" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-1320V-12.2.3-12.2.15" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-1320V-12.2.3-12.2.15" ], "url": "https://support.oracle.com/support/?documentId=KA923" } ], "scores": [ { "cvss_v3": { "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "products": [ "P-1320V-12.2.3-12.2.15" ] } ] }, { "cve": "CVE-2026-46822", "ids": [ { "system_name": "Oracle Bug ID of Oracle iAssets", "text": "39355196" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iAssets. While the vulnerability is in Oracle iAssets, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iAssets. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-1391V-12.2.3-12.2.15" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-1391V-12.2.3-12.2.15" ], "url": "https://support.oracle.com/support/?documentId=KA923" } ], "scores": [ { "cvss_v3": { "baseScore": 9.9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-1391V-12.2.3-12.2.15" ] } ] }, { "cve": "CVE-2026-46823", "ids": [ { "system_name": "Oracle Bug ID of Oracle Public Sector Financials (International)", "text": "39355544" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Public Sector Financials (International). While the vulnerability is in Oracle Public Sector Financials (International), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Public Sector Financials (International) accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-26V-12.2.6-12.2.15" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-26V-12.2.6-12.2.15" ], "url": "https://support.oracle.com/support/?documentId=KA923" } ], "scores": [ { "cvss_v3": { "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "products": [ "P-26V-12.2.6-12.2.15" ] } ] }, { "cve": "CVE-2026-46824", "ids": [ { "system_name": "Oracle Bug ID of Oracle Universal Work Queue", "text": "39355569" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-778V-12.2.3-12.2.15" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-778V-12.2.3-12.2.15" ], "url": "https://support.oracle.com/support/?documentId=KA923" } ], "scores": [ { "cvss_v3": { "baseScore": 9.9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-778V-12.2.3-12.2.15" ] } ] }, { "cve": "CVE-2026-46826", "ids": [ { "system_name": "Oracle Bug ID of Oracle Payroll", "text": "39358380" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-506V-12.2.3-12.2.15" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-506V-12.2.3-12.2.15" ], "url": "https://support.oracle.com/support/?documentId=KA923" } ], "scores": [ { "cvss_v3": { "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-506V-12.2.3-12.2.15" ] } ] }, { "cve": "CVE-2026-46827", "ids": [ { "system_name": "Oracle Bug ID of Oracle Payroll", "text": "39358448" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Self Service Manager). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-506V-12.2.3-12.2.15" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-506V-12.2.3-12.2.15" ], "url": "https://support.oracle.com/support/?documentId=KA923" } ], "scores": [ { "cvss_v3": { "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-506V-12.2.3-12.2.15" ] } ] }, { "cve": "CVE-2026-46828", "ids": [ { "system_name": "Oracle Bug ID of Oracle Payroll", "text": "39358449" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payroll. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payroll accessible data as well as unauthorized access to critical data or complete access to all Oracle Payroll accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-506V-12.2.3-12.2.15" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-506V-12.2.3-12.2.15" ], "url": "https://support.oracle.com/support/?documentId=KA923" } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "P-506V-12.2.3-12.2.15" ] } ] }, { "acknowledgments": [ { "names": [ "Xchglabs" ] } ], "cve": "CVE-2026-46829", "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39360532" } ], "notes": [ { "category": "description", "text": "Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "acknowledgments": [ { "names": [ "Xchglabs" ] } ], "cve": "CVE-2026-46830", "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39360540" } ], "notes": [ { "category": "description", "text": "Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "acknowledgments": [ { "names": [ "HexRabbit" ], "organization": "DEVCORE Research Team" } ], "cve": "CVE-2026-46833", "ids": [ { "system_name": "Oracle Bug ID of Oracle Database Server", "text": "39369187" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. While the vulnerability is in Net Service, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Net Service. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-5(Net Service)V-23.4.0-23.26.2" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-5(Net Service)V-23.4.0-23.26.2" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 9.0, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-5(Net Service)V-23.4.0-23.26.2" ] } ] }, { "cve": "CVE-2026-46834", "ids": [ { "system_name": "Oracle Bug ID of Oracle Database Server", "text": "39398014" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-5(Net Service)V-23.4.0-23.26.2" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-5(Net Service)V-23.4.0-23.26.2" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "P-5(Net Service)V-23.4.0-23.26.2" ] } ] }, { "cve": "CVE-2026-46835", "ids": [ { "system_name": "Oracle Bug ID of Oracle Database Server", "text": "39398052" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-5(Net Service)V-23.4.0-23.26.2" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-5(Net Service)V-23.4.0-23.26.2" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "P-5(Net Service)V-23.4.0-23.26.2" ] } ] }, { "cve": "CVE-2026-46837", "ids": [ { "system_name": "Oracle Bug ID of Oracle Flow Manufacturing", "text": "39355595" } ], "notes": [ { "category": "description", "text": "Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suite (component: Security). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via SQL to compromise Oracle Flow Manufacturing. Successful attacks of this vulnerability can result in takeover of Oracle Flow Manufacturing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-300V-12.2.9-12.2.15" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-300V-12.2.9-12.2.15" ], "url": "https://support.oracle.com/support/?documentId=KA923" } ], "scores": [ { "cvss_v3": { "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-300V-12.2.9-12.2.15" ] } ] }, { "acknowledgments": [ { "names": [ "Le Duc Anh Vu (vulda1)" ], "organization": "Viettel Cyber Security" } ], "cve": "CVE-2026-46839", "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39360292" } ], "notes": [ { "category": "description", "text": "Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 9.9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "acknowledgments": [ { "names": [ "Xchglabs" ] } ], "cve": "CVE-2026-46840", "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39360403" } ], "notes": [ { "category": "description", "text": "Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 10.0, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "acknowledgments": [ { "names": [ "Xchglabs" ] } ], "cve": "CVE-2026-46841", "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39360418" } ], "notes": [ { "category": "description", "text": "Vulnerability in Oracle REST Data Services (component: General). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "acknowledgments": [ { "names": [ "Xchglabs" ] } ], "cve": "CVE-2026-46842", "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39360434" } ], "notes": [ { "category": "description", "text": "Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "acknowledgments": [ { "names": [ "Xchglabs" ] } ], "cve": "CVE-2026-46843", "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39360439" } ], "notes": [ { "category": "description", "text": "Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "cve": "CVE-2026-4800", "flags": [ { "date": "2026-05-28T13:00:00-07:00", "label": "vulnerable_code_not_in_execute_path", "product_ids": [ "P-9456V-24.2.0-26.1.0" ] } ], "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39254336" } ], "notes": [ { "category": "description", "text": "Security-in-Depth issue in Oracle REST Data Services (component: Core (Lodash)). This vulnerability cannot be exploited in the context of this product.", "title": "Vulnerability Description" } ], "product_status": { "known_not_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ], "scores": [ { "cvss_v3": { "baseScore": 0.0, "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1" }, "products": [ "P-9456V-24.2.0-26.1.0" ] } ], "threats": [ { "category": "impact", "date": "2026-05-28T13:00:00-07:00", "details": "The affected code is not reachable through the execution of the code, including non-anticipated states of the product. Components that are neither used nor executed by the product.", "product_ids": [ "P-9456V-24.2.0-26.1.0" ] } ] }, { "cve": "CVE-2026-5795", "ids": [ { "system_name": "Oracle Bug ID of Oracle REST Data Services", "text": "39233009" } ], "notes": [ { "category": "description", "text": "Vulnerability in Oracle REST Data Services (component: Core (Eclipse Jetty)). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "P-9456V-24.2.0-26.1.0" ] }, "remediations": [ { "category": "vendor_fix", "details": "Oracle customers with valid support contracts", "product_ids": [ "P-9456V-24.2.0-26.1.0" ], "url": "https://support.oracle.com/support/?documentId=CPU164" } ] } ] }