Text Form of Oracle Critical Patch Update - April 2026 Risk Matrices
This document provides the text form of the CPUApr2026 Advisory Risk Matrices. Please note that the CVE IDs in this document correspond to the same CVE IDs in the CPUApr2026 Advisory
This page contains the following text format Risk Matrices:
- Oracle Database Server
- Oracle Adapter for Eclipse RDF4J
- Oracle APEX
- Oracle Autonomous Health Framework
- Oracle Blockchain Platform
- Oracle Essbase
- Oracle Global Lifecycle Management
- Oracle GoldenGate
- Oracle Graph Server and Client
- Oracle NoSQL Database
- Oracle REST Data Services
- Oracle TimesTen In-Memory Database
- Oracle Commerce
- Oracle Communications
- Oracle Construction and Engineering
- Oracle E-Business Suite
- Oracle Enterprise Manager
- Oracle Financial Services Applications
- Oracle Fusion Middleware
- Oracle Analytics
- Oracle Life Science Applications
- Oracle Hospitality Applications
- Oracle Hyperion
- Oracle Java SE
- Oracle JD Edwards
- Oracle MySQL
- Oracle PeopleSoft
- Oracle Retail Applications
- Oracle Siebel CRM
- Oracle Supply Chain
- Oracle Systems
- Oracle Utilities Applications
- Oracle Virtualization
Text Form of Risk Matrix for Oracle Database Server
This table provides the text form of the Risk Matrix for Oracle Database Server.
| CVE ID | Description |
|---|---|
| CVE-2025-31948 | Vulnerability in the Data Mining (Intel oneAPI Toolkit OpenMP) component of Oracle Database Server. Supported versions that are affected are 19.3-19.30, 21.3-21.21 and 23.4.0-23.26.1. Easily exploitable vulnerability allows low privileged attacker having Authenticated User privilege with logon to the infrastructure where Data Mining (Intel oneAPI Toolkit OpenMP) executes to compromise Data Mining (Intel oneAPI Toolkit OpenMP). Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Data Mining (Intel oneAPI Toolkit OpenMP). CVSS 3.1 Base Score 3.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-48924 | Vulnerability in the RDBMS (Apache Commons Lang) component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.1. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where RDBMS (Apache Commons Lang) executes to compromise RDBMS (Apache Commons Lang). Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of RDBMS (Apache Commons Lang). CVSS 3.1 Base Score 3.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-62728 | Security-in-Depth issue in the Java VM (Apache Hive) component of Oracle Database Server. This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-66614 | Security-in-Depth issue in the Database (Apache Tomcat) component of Oracle Database Server. This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-68161 | Security-in-Depth issue in the SQLcl (Apache Log4j) component of Oracle Database Server. This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-6965 | Security-in-Depth issue in the Spatial and Graph (SQLite) component of Oracle Database Server. This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-21945 | Security-in-Depth issue in the GraalVM Multilingual Engine component of Oracle Database Server. This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-21999 | Vulnerability in the XML Database component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise XML Database. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all XML Database accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-24400 | Security-in-Depth issue in the SQLcl (assertj) component of Oracle Database Server. This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-25210 | Security-in-Depth issue in the RDBMS (libexpat) component of Oracle Database Server. This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-26007 | Vulnerability in the RDBMS (Python) component of Oracle Database Server. Supported versions that are affected are 21.3-21.21 and 23.4.0-23.26.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise RDBMS (Python). Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all RDBMS (Python) accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-27135 | Security-in-Depth issue in the RDBMS (Nhttp2) component of Oracle Database Server. This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-31790 | Vulnerability in the RDBMS (OpenSSL) component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 23.4.0-23.26.1. Easily exploitable vulnerability allows high privileged attacker having None privilege with network access via multiple protocols to compromise RDBMS (OpenSSL). Successful attacks of this vulnerability can result in takeover of RDBMS (OpenSSL). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-31790 also addresses CVE-2025-15467. |
| CVE-2026-33870 | Vulnerability in the Clusterware (Micronaut) component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 23.4.0-23.26.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Clusterware (Micronaut). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Clusterware (Micronaut) accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] The patch for CVE-2026-33870 also addresses CVE-2026-33013. |
| CVE-2026-34237 | Security-in-Depth issue in the SQLcl (MCP Java SDK) component of Oracle Database Server. This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-34312 | Vulnerability in the RDBMS component of Oracle Database Server. Supported versions that are affected are 19.3-19.30. Easily exploitable vulnerability allows high privileged attacker having Row Access Method privilege with network access via multiple protocols to compromise RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of RDBMS accessible data. CVSS 3.1 Base Score 2.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N). (legend) [Advisory] |
| CVE-2026-35229 | Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Adapter for Eclipse RDF4J
This table provides the text form of the Risk Matrix for Oracle Adapter for Eclipse RDF4J.
| CVE ID | Description |
|---|---|
| CVE-2023-46750 | Vulnerability in Oracle Adapter for Eclipse RDF4J (component: Jena adapter (Apache Shiro)). The supported version that is affected is 24.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Adapter for Eclipse RDF4J. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Adapter for Eclipse RDF4J, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Adapter for Eclipse RDF4J accessible data as well as unauthorized read access to a subset of Oracle Adapter for Eclipse RDF4J accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-48734 | Security-in-Depth issue in Oracle Adapter for Eclipse RDF4J (component: Adapter for Eclipse RDF (Apache Commons BeanUtils)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-48924 | Security-in-Depth issue in Oracle Adapter for Eclipse RDF4J (component: Adapter for Eclipse RDF (Apache Commons Lang)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-48976 | Vulnerability in Oracle Adapter for Eclipse RDF4J (component: Adapter for Eclipse RDF (Apache Commons FileUpload)). The supported version that is affected is 3.12.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Adapter for Eclipse RDF4J. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Adapter for Eclipse RDF4J. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-5115 | Security-in-Depth issue in Oracle Adapter for Eclipse RDF4J (component: Adapter for Eclipse RDF (Eclipse Jetty)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
Text Form of Risk Matrix for Oracle APEX
This table provides the text form of the Risk Matrix for Oracle APEX.
| CVE ID | Description |
|---|---|
| CVE-2025-9670 | Security-in-Depth issue in the Oracle Application Express product of Oracle APEX (component: General (turndown)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-0540 | Security-in-Depth issue in the Oracle Application Express product of Oracle APEX (component: General (DOMPurify)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
Text Form of Risk Matrix for Oracle Autonomous Health Framework
This table provides the text form of the Risk Matrix for Oracle Autonomous Health Framework.
| CVE ID | Description |
|---|---|
| CVE-2025-15467 | Vulnerability in Oracle Autonomous Health Framework (component: Trace File Analyzer (OpenSSL)). Supported versions that are affected are 25.11-26.1. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise Oracle Autonomous Health Framework. Successful attacks of this vulnerability can result in takeover of Oracle Autonomous Health Framework. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-15467 also addresses CVE-2025-11187. |
| CVE-2025-68161 | Security-in-Depth issue in Oracle Autonomous Health Framework (component: Trace File Analyzer (Apache Log4j)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-9232 | Vulnerability in Oracle Autonomous Health Framework (component: Command Line Interface and SDK (pynacl)). Supported versions that are affected are 25.11-26.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Autonomous Health Framework. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Autonomous Health Framework. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-9232 also addresses CVE-2025-9230. |
| CVE-2026-21441 | Security-in-Depth issue in Oracle Autonomous Health Framework (component: Command Line Interface and SDK (urllib3)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
Text Form of Risk Matrix for Oracle Blockchain Platform
This table provides the text form of the Risk Matrix for Oracle Blockchain Platform.
| CVE ID | Description |
|---|---|
| CVE-2025-48924 | Security-in-Depth issue in Oracle Blockchain Platform (component: BCS Console (Apache Commons Lang)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-5318 | Vulnerability in Oracle Blockchain Platform (component: BCS Console (libssh)). The supported version that is affected is 24.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Blockchain Platform. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Blockchain Platform accessible data as well as unauthorized read access to a subset of Oracle Blockchain Platform accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] The patch for CVE-2025-5318 also addresses CVE-2025-4877, CVE-2025-4878, CVE-2025-5351, CVE-2025-5372, CVE-2025-5449, and CVE-2025-5987. |
| CVE-2025-59465 | Vulnerability in Oracle Blockchain Platform (component: BCS Console (Node.js)). The supported version that is affected is 24.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle Blockchain Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Blockchain Platform. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-59465 also addresses CVE-2025-27209, CVE-2025-27210, CVE-2025-55130, CVE-2025-55131, CVE-2025-55132, CVE-2025-59466, CVE-2026-21636, and CVE-2026-21637. |
| CVE-2025-61729 | Vulnerability in Oracle Blockchain Platform (component: BCS Console (Golang Go)). The supported version that is affected is 24.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Blockchain Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Blockchain Platform. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-61729 also addresses CVE-2024-24789, CVE-2024-24790, CVE-2025-47910, CVE-2025-47912, CVE-2025-58183, CVE-2025-58185, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, and CVE-2025-61727. |
| CVE-2025-66418 | Security-in-Depth issue in Oracle Blockchain Platform (component: BCS Console (urllib3)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-8058 | Security-in-Depth issue in Oracle Blockchain Platform (component: BCS Console (glibc)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-8194 | Security-in-Depth issue in Oracle Blockchain Platform (component: BCS Console (Python)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-9900 | Security-in-Depth issue in Oracle Blockchain Platform (component: BCS Console (LibTIFF)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
Text Form of Risk Matrix for Oracle Essbase
This table provides the text form of the Risk Matrix for Oracle Essbase.
| CVE ID | Description |
|---|---|
| CVE-2025-14017 | Security-in-Depth issue in Oracle Essbase (component: Essbase Web Platform (curl)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-15467 | Security-in-Depth issue in Oracle Essbase (component: Essbase Web Platform (OpenSSL)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-58098 | Security-in-Depth issue in Oracle Essbase (component: Essbase Web Platform (Apache HTTP Server)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
Text Form of Risk Matrix for Oracle Global Lifecycle Management
This table provides the text form of the Risk Matrix for Oracle Global Lifecycle Management.
| CVE ID | Description |
|---|---|
| CVE-2025-52999 | Security-in-Depth issue in the Oracle Global Lifecycle Management OPatchAuto product of Oracle Global Lifecycle Management (component: Database extensions (jackson-core)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
Text Form of Risk Matrix for Oracle GoldenGate
This table provides the text form of the Risk Matrix for Oracle GoldenGate.
| CVE ID | Description |
|---|---|
| CVE-2024-7254 | Vulnerability in the Oracle GoldenGate Big Data and Application Adapters product of Oracle GoldenGate (component: Third Party (Google Protobuf-Java)). Supported versions that are affected are 23.4-23.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle GoldenGate Big Data and Application Adapters. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle GoldenGate Big Data and Application Adapters. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-11143 | Vulnerability in the Oracle GoldenGate Big Data and Application Adapters product of Oracle GoldenGate (component: Java Delivery (Eclipse Jetty)). Supported versions that are affected are 21.3-21.21 and 23.4-23.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle GoldenGate Big Data and Application Adapters. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle GoldenGate Big Data and Application Adapters accessible data. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). (legend) [Advisory] |
| CVE-2025-33042 | Vulnerability in the Oracle GoldenGate Big Data and Application Adapters product of Oracle GoldenGate (component: Third Party (Apache Avro)). Supported versions that are affected are 19.1.0.0.0-19.1.0.0.21, 21.3-21.21 and 23.4-23.10. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle GoldenGate Big Data and Application Adapters executes to compromise Oracle GoldenGate Big Data and Application Adapters. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle GoldenGate Big Data and Application Adapters accessible data as well as unauthorized read access to a subset of Oracle GoldenGate Big Data and Application Adapters accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle GoldenGate Big Data and Application Adapters. CVSS 3.1 Base Score 5.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-33042 | Security-in-Depth issue in the Oracle GoldenGate Stream Analytics product of Oracle GoldenGate (component: Third Party (Apache Avro)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-48924 | Vulnerability in the Oracle GoldenGate Big Data and Application Adapters product of Oracle GoldenGate (component: Third Party (Apache Commons Lang)). Supported versions that are affected are 23.4-23.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle GoldenGate Big Data and Application Adapters. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle GoldenGate Big Data and Application Adapters. CVSS 3.1 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-62728 | Security-in-Depth issue in the Oracle GoldenGate Stream Analytics product of Oracle GoldenGate (component: General (Apache Hive)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-66566 | Vulnerability in the Oracle GoldenGate Stream Analytics product of Oracle GoldenGate (component: General (lz4-java)). Supported versions that are affected are 19.1.0.0.0-19.1.0.0.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle GoldenGate Stream Analytics. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle GoldenGate Stream Analytics accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-67721 | Security-in-Depth issue in the Oracle GoldenGate Big Data and Application Adapters product of Oracle GoldenGate (component: Third Party (Aircompressor)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-67735 | Vulnerability in the Oracle GoldenGate Big Data and Application Adapters product of Oracle GoldenGate (component: AWS SDK (Netty)). Supported versions that are affected are 23.4-23.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle GoldenGate Big Data and Application Adapters. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle GoldenGate Big Data and Application Adapters accessible data as well as unauthorized read access to a subset of Oracle GoldenGate Big Data and Application Adapters accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-67735 | Vulnerability in the Oracle GoldenGate Big Data and Application Adapters product of Oracle GoldenGate (component: Java Delivery (Netty)). Supported versions that are affected are 21.3-21.20 and 23.4-23.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle GoldenGate Big Data and Application Adapters. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle GoldenGate Big Data and Application Adapters accessible data as well as unauthorized read access to a subset of Oracle GoldenGate Big Data and Application Adapters accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in Oracle GoldenGate (component: Third Party (Apache Log4j)). Supported versions that are affected are 23.4-23.26.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle GoldenGate. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle GoldenGate, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle GoldenGate accessible data as well as unauthorized read access to a subset of Oracle GoldenGate accessible data. CVSS 3.1 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Security-in-Depth issue in the Oracle GoldenGate Stream Analytics product of Oracle GoldenGate (component: Third Party (Apache Log4j)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-8916 | Vulnerability in the Oracle GoldenGate Big Data and Application Adapters product of Oracle GoldenGate (component: Java Delivery (Bouncy Castle Java Library)). Supported versions that are affected are 21.3-21.20 and 23.4-23.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle GoldenGate Big Data and Application Adapters. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle GoldenGate Big Data and Application Adapters. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2026-21452 | Security-in-Depth issue in the Oracle GoldenGate Big Data and Application Adapters product of Oracle GoldenGate (component: Third Party (MessagePack)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-34273 | Vulnerability in Oracle GoldenGate (component: Libraries). Supported versions that are affected are 23.4-23.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle GoldenGate. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GoldenGate accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Graph Server and Client
This table provides the text form of the Risk Matrix for Oracle Graph Server and Client.
| CVE ID | Description |
|---|---|
| CVE-2026-24734 | Security-in-Depth issue in Oracle Graph Server and Client (component: Packaging (Apache Tomcat)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
Text Form of Risk Matrix for Oracle NoSQL Database
This table provides the text form of the Risk Matrix for Oracle NoSQL Database.
| CVE ID | Description |
|---|---|
| CVE-2025-48924 | Security-in-Depth issue in Oracle NoSQL Database (component: Administration (Apache Commons Lang)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
Text Form of Risk Matrix for Oracle REST Data Services
This table provides the text form of the Risk Matrix for Oracle REST Data Services.
| CVE ID | Description |
|---|---|
| CVE-2025-5115 | Vulnerability in Oracle REST Data Services (component: Third Party (Eclipse Jetty)). Supported versions that are affected are 24.2.0, 24.2.1, 24.3.0, 24.3.1, 24.4.0, 25.1.1, 25.2.0, 25.2.1, 25.2.2, 25.2.3 and . Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-66453 | Vulnerability in Oracle REST Data Services (component: REST Services (Rhino)). Supported versions that are affected are 24.2.0, 24.2.1, 24.3.0, 24.3.1, 24.4.0, 25.1.1, 25.2.0, 25.2.1, 25.2.2, 25.2.3, 25.3.0, 25.3.1 and 25.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2026-23864 | Security-in-Depth issue in Oracle REST Data Services (component: General (React)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
Text Form of Risk Matrix for Oracle TimesTen In-Memory Database
This table provides the text form of the Risk Matrix for Oracle TimesTen In-Memory Database.
| CVE ID | Description |
|---|---|
| CVE-2025-68121 | Vulnerability in Oracle TimesTen In-Memory Database (component: Third-party components (Golang Go)). Supported versions that are affected are 18.1.4 and 22.1.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle TimesTen In-Memory Database. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle TimesTen In-Memory Database accessible data as well as unauthorized access to critical data or complete access to all Oracle TimesTen In-Memory Database accessible data. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] The patch for CVE-2025-68121 also addresses CVE-2025-61727, CVE-2025-61729, and CVE-2025-61732. |
Text Form of Risk Matrix for Oracle Commerce
This table provides the text form of the Risk Matrix for Oracle Commerce.
| CVE ID | Description |
|---|---|
| CVE-2024-56406 | Vulnerability in the Oracle Commerce Guided Search product of Oracle Commerce (component: Endeca Application Controller (Perl)). The supported version that is affected is 11.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Guided Search. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Commerce Guided Search as well as unauthorized update, insert or delete access to some of Oracle Commerce Guided Search accessible data and unauthorized read access to a subset of Oracle Commerce Guided Search accessible data. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). (legend) [Advisory] |
| CVE-2025-48734 | Vulnerability in the Oracle Commerce Guided Search product of Oracle Commerce (component: Experience Manager (Apache Commons BeanUtils)). The supported version that is affected is 11.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Commerce Guided Search. Successful attacks of this vulnerability can result in takeover of Oracle Commerce Guided Search. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-24734 | Vulnerability in the Oracle Commerce Guided Search product of Oracle Commerce (component: Content Acquisition System, Endeca Application Controller, Experience Manager (Apache Tomcat)). The supported version that is affected is 11.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Guided Search. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Commerce Guided Search accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Communications
This table provides the text form of the Risk Matrix for Oracle Communications.
| CVE ID | Description |
|---|---|
| CVE-2021-0341 | Vulnerability in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Install (OkHttp)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Policy. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Policy accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2023-34453 | Vulnerability in the Oracle Communications Cloud Native Core Network Exposure Function product of Oracle Communications (component: Platform (Snappy)). The supported version that is affected is 24.2.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Exposure Function. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Network Exposure Function. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2024-45339 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Golang Go)). The supported version that is affected is 7.0.0. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Communications Unified Assurance executes to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Unified Assurance accessible data as well as unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2024-5535 | Vulnerability in the Oracle Communications Cloud Native Core Network Slice Selection Function product of Oracle Communications (component: Install (OpenSSL)). The supported version that is affected is 25.1.100. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Cloud Native Core Network Slice Selection Function. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Network Slice Selection Function accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Network Slice Selection Function. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). (legend) [Advisory] |
| CVE-2024-8184 | Vulnerability in the Oracle Communications Cloud Native Core Network Exposure Function product of Oracle Communications (component: Platform (Eclipse Jetty)). The supported version that is affected is 24.2.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Exposure Function. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Network Exposure Function. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-12383 | Vulnerability in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Configuration (Eclipse Jersey)). The supported version that is affected is 25.1.200. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Policy. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Cloud Native Core Policy accessible data as well as unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Policy accessible data. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2025-12543 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Network Repository Function product of Oracle Communications (component: Signaling (Undertow)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-12543 | Vulnerability in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Alarms, KPI, and Measurements (Undertow)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Policy. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Communications Cloud Native Core Policy, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Policy. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-12543 also addresses CVE-2024-3884, and CVE-2024-4027. |
| CVE-2025-12543 | Vulnerability in the Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications (component: Install (Undertow)). Supported versions that are affected are 25.1.100 and 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Unified Data Repository. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Communications Cloud Native Core Unified Data Repository, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Unified Data Repository. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-12543 also addresses CVE-2024-3884, and CVE-2024-4027. |
| CVE-2025-13151 | Vulnerability in the Oracle Communications Cloud Native Core Network Exposure Function product of Oracle Communications (component: Platform (Libtasn1)). The supported version that is affected is 24.2.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Exposure Function. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Network Exposure Function. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-13151 | Vulnerability in the Oracle Communications Cloud Native Core Network Slice Selection Function product of Oracle Communications (component: Install (Libtasn1)). Supported versions that are affected are 25.1.100 and 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Slice Selection Function. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Network Slice Selection Function. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-13151 | Vulnerability in the Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications (component: ATS Framework (Libtasn1)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Unified Data Repository. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Unified Data Repository. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-14017 | Vulnerability in the Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications (component: ATS Framework (curl)). The supported version that is affected is 25.1.200. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Communications Cloud Native Core Unified Data Repository executes to compromise Oracle Communications Cloud Native Core Unified Data Repository. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Cloud Native Core Unified Data Repository accessible data as well as unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Unified Data Repository accessible data. CVSS 3.1 Base Score 6.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N). (legend) [Advisory] The patch for CVE-2025-14017 also addresses CVE-2025-13034, CVE-2025-14524, CVE-2025-14819, CVE-2025-15079, and CVE-2025-15224. |
| CVE-2025-14104 | Vulnerability in the Oracle Communications Cloud Native Core Certificate Management product of Oracle Communications (component: Configuration (util-linux)). The supported version that is affected is 25.1.201. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Communications Cloud Native Core Certificate Management executes to compromise Oracle Communications Cloud Native Core Certificate Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Certificate Management and unauthorized read access to a subset of Oracle Communications Cloud Native Core Certificate Management accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H). (legend) [Advisory] |
| CVE-2025-14104 | Vulnerability in the Oracle Communications Cloud Native Core Console product of Oracle Communications (component: Configuration (util-linux)). The supported version that is affected is 25.1.201. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Communications Cloud Native Core Console executes to compromise Oracle Communications Cloud Native Core Console. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Console and unauthorized read access to a subset of Oracle Communications Cloud Native Core Console accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H). (legend) [Advisory] |
| CVE-2025-15284 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (qs)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-15467 | Vulnerability in the Oracle Communications Cloud Native Core Certificate Management product of Oracle Communications (component: Configuration (OpenSSL)). The supported version that is affected is 25.1.201. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Communications Cloud Native Core Certificate Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Certificate Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-15467 | Vulnerability in the Oracle Communications Cloud Native Core Console product of Oracle Communications (component: Configuration (OpenSSL)). The supported version that is affected is 25.1.201. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Cloud Native Core Console. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Console. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-15467 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Network Function Cloud Native Environment product of Oracle Communications (component: Configuration (OpenSSL)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-15467 | Security-in-Depth issue in the Oracle Communications Session Border Controller product of Oracle Communications (component: Third Party (OpenSSL)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-15467 | Security-in-Depth issue in the Oracle Enterprise Communications Broker product of Oracle Communications (component: Third Party (OpenSSL)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-26333 | Vulnerability in the Oracle Communications Network Integrity product of Oracle Communications (component: Other (BSAFE Crypto-J)). Supported versions that are affected are 7.3.6, 7.4.0, 7.5.0 and 8.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Network Integrity. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Network Integrity accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-26333 | Vulnerability in the Oracle Communications Unified Inventory Management product of Oracle Communications (component: Security Component (BSAFE Crypto-J)). Supported versions that are affected are 7.5.0-7.5.1, 7.6.0-7.8.0 and 8.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Communications Unified Inventory Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Inventory Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-26791 | Vulnerability in the Oracle Communications Cloud Native Core Network Function Cloud Native Environment product of Oracle Communications (component: Configuration (DOMPurify)). Supported versions that are affected are 25.1.200 and 25.2.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Function Cloud Native Environment. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Communications Cloud Native Core Network Function Cloud Native Environment, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Cloud Native Core Network Function Cloud Native Environment accessible data as well as unauthorized read access to a subset of Oracle Communications Cloud Native Core Network Function Cloud Native Environment accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-27821 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache Hadoop)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Unified Assurance accessible data as well as unauthorized read access to a subset of Oracle Communications Unified Assurance accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 4.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-32990 | Vulnerability in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: Configuration (GnuTLS)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Cloud Native Core Security Edge Protection Proxy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Security Edge Protection Proxy as well as unauthorized update, insert or delete access to some of Oracle Communications Cloud Native Core Security Edge Protection Proxy accessible data. CVSS 3.1 Base Score 8.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H). (legend) [Advisory] The patch for CVE-2025-32990 also addresses CVE-2025-32988, CVE-2025-32989, and CVE-2025-6395. |
| CVE-2025-32990 | Vulnerability in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: Signaling (GnuTLS)). Supported versions that are affected are 25.1.202 and 25.2.100. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Cloud Native Core Service Communication Proxy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Service Communication Proxy as well as unauthorized update, insert or delete access to some of Oracle Communications Cloud Native Core Service Communication Proxy accessible data. CVSS 3.1 Base Score 8.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H). (legend) [Advisory] The patch for CVE-2025-32990 also addresses CVE-2025-32988, CVE-2025-32989, and CVE-2025-6395. |
| CVE-2025-33042 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache Avro)). The supported version that is affected is 6.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Unified Assurance accessible data as well as unauthorized read access to a subset of Oracle Communications Unified Assurance accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-41248 | Vulnerability in the Oracle Communications Cloud Native Core Network Repository Function product of Oracle Communications (component: Signaling (Spring Security)). The supported version that is affected is 25.1.204. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Repository Function. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Network Repository Function accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41248 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: Signaling (Spring Security)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-41248 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Spring Security)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data. CVSS 3.1 Base Score 4.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41249 | Vulnerability in the Oracle Communications Cloud Native Core Network Exposure Function product of Oracle Communications (component: Install (Spring Framework)). The supported version that is affected is 24.2.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Exposure Function. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Network Exposure Function accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41249 | Vulnerability in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: Signaling (Spring Framework)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Security Edge Protection Proxy. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Security Edge Protection Proxy accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41249 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Spring Framework)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data. CVSS 3.1 Base Score 4.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41249 | Security-in-Depth issue in the Management Cloud Engine product of Oracle Communications (component: Security (Spring Framework)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-41253 | Vulnerability in the Oracle Communications Cloud Native Core Network Exposure Function product of Oracle Communications (component: Install (Spring Cloud Gateway)). The supported version that is affected is 24.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Exposure Function. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Network Exposure Function accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41253 | Vulnerability in the Oracle Communications Cloud Native Core Network Repository Function product of Oracle Communications (component: Install (Spring Cloud Gateway)). The supported version that is affected is 25.1.204. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Repository Function. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Network Repository Function accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41253 | Vulnerability in the Oracle Communications Cloud Native Core Network Slice Selection Function product of Oracle Communications (component: Install (Spring Cloud Gateway)). Supported versions that are affected are 25.1.100 and 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Slice Selection Function. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Network Slice Selection Function accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-48795 | Vulnerability in the Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications (component: Security (Apache CXF)). The supported version that is affected is 25.1.200. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Unified Data Repository. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Cloud Native Core Unified Data Repository accessible data as well as unauthorized read access to a subset of Oracle Communications Cloud Native Core Unified Data Repository accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Cloud Native Core Unified Data Repository. CVSS 3.1 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-48913 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache CXF)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-48913 also addresses CVE-2023-3894, CVE-2024-28752, CVE-2024-29736, CVE-2024-32007, CVE-2024-41172, and CVE-2025-23184. |
| CVE-2025-48976 | Vulnerability in the Oracle Communications Cloud Native Core Network Exposure Function product of Oracle Communications (component: Platform (Apache Commons FileUpload)). The supported version that is affected is 24.2.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Exposure Function. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Network Exposure Function. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-48976 | Vulnerability in the Oracle Communications Cloud Native Core Network Repository Function product of Oracle Communications (component: Signaling (Apache Commons FileUpload)). The supported version that is affected is 25.1.204. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Repository Function. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Network Repository Function. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-5115 | Vulnerability in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: Automated Test Suite (Eclipse Jetty)). Supported versions that are affected are 25.1.201 and 25.2.100. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Security Edge Protection Proxy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Security Edge Protection Proxy. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-5115 also addresses CVE-2025-59474, CVE-2025-59475, and CVE-2025-59476. |
| CVE-2025-5115 | Vulnerability in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: Install (Eclipse Jetty)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Service Communication Proxy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Service Communication Proxy. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-5115 also addresses CVE-2025-59474, CVE-2025-59475, and CVE-2025-59476. |
| CVE-2025-5115 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: Signaling (Eclipse Jetty)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-5115 | Vulnerability in the Oracle Communications EAGLE Element Management System product of Oracle Communications (component: Security (Eclipse Jetty)). The supported version that is affected is 47.0.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications EAGLE Element Management System. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications EAGLE Element Management System. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-52967 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (mlflow)). Supported versions that are affected are 6.1.1-7.0.0. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 6.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-52967 also addresses CVE-2024-37059, CVE-2025-0453, CVE-2025-11200, CVE-2025-11201, and CVE-2025-14279. |
| CVE-2025-5318 | Vulnerability in the Oracle Communications Cloud Native Core Network Repository Function product of Oracle Communications (component: Signaling (libssh)). The supported version that is affected is 25.1.204. Easily exploitable vulnerability allows low privileged attacker with network access via SFTP to compromise Oracle Communications Cloud Native Core Network Repository Function. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Network Repository Function accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Network Repository Function. CVSS 3.1 Base Score 8.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-5318 also addresses CVE-2025-4877, CVE-2025-4878, CVE-2025-5351, CVE-2025-5372, CVE-2025-5449, and CVE-2025-5987. |
| CVE-2025-5318 | Vulnerability in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: ATS Framework (libssh)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows low privileged attacker with network access via SFTP to compromise Oracle Communications Cloud Native Core Security Edge Protection Proxy. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Security Edge Protection Proxy accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Security Edge Protection Proxy. CVSS 3.1 Base Score 8.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-5318 also addresses CVE-2025-4877, CVE-2025-4878, CVE-2025-5351, CVE-2025-5372, CVE-2025-5449, and CVE-2025-5987. |
| CVE-2025-5318 | Vulnerability in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: Install (libssh)). Supported versions that are affected are 25.1.202 and 25.2.100. Easily exploitable vulnerability allows low privileged attacker with network access via SFTP to compromise Oracle Communications Cloud Native Core Service Communication Proxy. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Service Communication Proxy accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Service Communication Proxy. CVSS 3.1 Base Score 8.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-5318 also addresses CVE-2025-4877, CVE-2025-4878, CVE-2025-5351, CVE-2025-5372, CVE-2025-5449, and CVE-2025-5987. |
| CVE-2025-5318 | Vulnerability in the Oracle Communications EAGLE Application Processor product of Oracle Communications (component: Other (libssh)). Supported versions that are affected are 17.0-17.1. Easily exploitable vulnerability allows low privileged attacker with network access via SFTP to compromise Oracle Communications EAGLE Application Processor. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications EAGLE Application Processor accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications EAGLE Application Processor. CVSS 3.1 Base Score 8.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-5318 also addresses CVE-2025-4877, CVE-2025-4878, CVE-2025-5351, CVE-2025-5372, CVE-2025-5449, and CVE-2025-5987. |
| CVE-2025-5318 | Vulnerability in the Oracle Communications EAGLE LNP Application Processor product of Oracle Communications (component: Patches (libssh)). The supported version that is affected is 11.0. Easily exploitable vulnerability allows low privileged attacker with network access via SFTP to compromise Oracle Communications EAGLE LNP Application Processor. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications EAGLE LNP Application Processor accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications EAGLE LNP Application Processor. CVSS 3.1 Base Score 8.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-5318 also addresses CVE-2025-4877, CVE-2025-4878, CVE-2025-5351, CVE-2025-5372, CVE-2025-5449, and CVE-2025-5987. |
| CVE-2025-5318 | Vulnerability in the Oracle Communications LSMS product of Oracle Communications (component: Platform (libssh)). The supported version that is affected is 14.0. Easily exploitable vulnerability allows low privileged attacker with network access via SFTP to compromise Oracle Communications LSMS. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications LSMS accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications LSMS. CVSS 3.1 Base Score 8.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-5318 also addresses CVE-2025-4877, CVE-2025-4878, CVE-2025-5351, CVE-2025-5372, CVE-2025-5449, and CVE-2025-5987. |
| CVE-2025-5318 | Vulnerability in the Oracle Communications Session Border Controller product of Oracle Communications (component: Routing (libssh)). Supported versions that are affected are 9.3.0, 10.0.0 and 10.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via SFTP to compromise Oracle Communications Session Border Controller. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Session Border Controller accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Session Border Controller. CVSS 3.1 Base Score 8.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-5318 also addresses CVE-2025-4877, CVE-2025-4878, CVE-2025-5351, CVE-2025-5372, CVE-2025-5449, and CVE-2025-5987. |
| CVE-2025-5318 | Vulnerability in the Oracle Enterprise Communications Broker product of Oracle Communications (component: Third Party (libssh)). Supported versions that are affected are 4.2.0 and 5.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via SSH to compromise Oracle Enterprise Communications Broker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Enterprise Communications Broker accessible data as well as unauthorized read access to a subset of Oracle Enterprise Communications Broker accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-5318 | Security-in-Depth issue in the Management Cloud Engine product of Oracle Communications (component: Security (libssh)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-5372 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (libssh)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via SSH to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 6.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-55130 | Vulnerability in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Install (Node.js)). The supported version that is affected is 25.1.202. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Policy. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Cloud Native Core Policy accessible data as well as unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Policy accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2025-55163 | Vulnerability in the Oracle Communications Cloud Native Core Network Function Cloud Native Environment product of Oracle Communications (component: Configuration (Netty)). Supported versions that are affected are 25.1.200 and 25.2.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle Communications Cloud Native Core Network Function Cloud Native Environment. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Network Function Cloud Native Environment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-55163 | Vulnerability in the Oracle Communications Cloud Native Core Network Repository Function product of Oracle Communications (component: Signaling (Netty)). The supported version that is affected is 25.1.204. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle Communications Cloud Native Core Network Repository Function. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Network Repository Function. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-55163 | Vulnerability in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: Signaling (Netty)). The supported version that is affected is 25.1.201. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle Communications Cloud Native Core Security Edge Protection Proxy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Security Edge Protection Proxy. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-55754 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache Pulsar)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Communications Unified Assurance, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 8.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-55754 also addresses CVE-2022-46337, CVE-2024-52046, CVE-2025-30065, and CVE-2025-47436. |
| CVE-2025-58050 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Console product of Oracle Communications (component: Configuration (PCRE2)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-58050 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Network Slice Selection Function product of Oracle Communications (component: Install (PCRE2)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-58050 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Alarms, KPI, and Measurements (PCRE2)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-58050 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: Signaling (PCRE2)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-58050 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: Signaling (PCRE2)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-58050 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications (component: Install (PCRE2)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-58050 | Vulnerability in the Oracle Communications Operations Monitor product of Oracle Communications (component: Mediation Engine (PCRE2)). Supported versions that are affected are 5.2 and 6.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Operations Monitor. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Operations Monitor accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Operations Monitor. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). (legend) [Advisory] |
| CVE-2025-58057 | Vulnerability in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: Signaling (Netty)). Supported versions that are affected are 25.1.100 and 25.2.100. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Service Communication Proxy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Service Communication Proxy. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-58057 also addresses CVE-2025-55163, and CVE-2025-58056. |
| CVE-2025-58057 | Vulnerability in the Oracle Communications Service Catalog and Design product of Oracle Communications (component: Patch Request (Netty)). Supported versions that are affected are 8.0.0.6.0 and 8.1.0.5.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Service Catalog and Design. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Service Catalog and Design. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-58057 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Netty)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 4.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-58057 also addresses CVE-2024-29857, CVE-2024-30172, and CVE-2024-34447. |
| CVE-2025-58098 | Vulnerability in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: ATS Framework (Apache HTTP Server)). Supported versions that are affected are 25.1.200 and 25.2.100. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Security Edge Protection Proxy. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Cloud Native Core Security Edge Protection Proxy accessible data as well as unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Security Edge Protection Proxy accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Cloud Native Core Security Edge Protection Proxy. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). (legend) [Advisory] The patch for CVE-2025-58098 also addresses CVE-2025-55753, CVE-2025-59775, CVE-2025-65082, and CVE-2025-66200. |
| CVE-2025-58098 | Vulnerability in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: ATS Framework (Apache HTTP Server)). Supported versions that are affected are 25.1.202 and 25.2.100. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Service Communication Proxy. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Cloud Native Core Service Communication Proxy accessible data as well as unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Service Communication Proxy accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Cloud Native Core Service Communication Proxy. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). (legend) [Advisory] The patch for CVE-2025-58098 also addresses CVE-2025-55753, CVE-2025-59775, CVE-2025-65082, and CVE-2025-66200. |
| CVE-2025-58098 | Vulnerability in the Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications (component: ATS Framework (Apache HTTP Server)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Unified Data Repository. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Cloud Native Core Unified Data Repository accessible data as well as unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Unified Data Repository accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Cloud Native Core Unified Data Repository. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). (legend) [Advisory] The patch for CVE-2025-58098 also addresses CVE-2025-55753, CVE-2025-59775, CVE-2025-65082, and CVE-2025-66200. |
| CVE-2025-58181 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Golang Crypto)). The supported version that is affected is 7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via SSH to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 2.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L). (legend) [Advisory] The patch for CVE-2025-58181 also addresses CVE-2025-22869, and CVE-2025-47914. |
| CVE-2025-59465 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Network Function Cloud Native Environment product of Oracle Communications (component: Configuration (Node.js)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-61795 | Vulnerability in the Oracle Communications EAGLE Element Management System product of Oracle Communications (component: Security (Apache Tomcat)). The supported version that is affected is 47.0.0.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications EAGLE Element Management System. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications EAGLE Element Management System. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-61795 | Security-in-Depth issue in the Management Cloud Engine product of Oracle Communications (component: BEServer (Apache Tomcat)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-61984 | Vulnerability in the Oracle Communications Policy Management product of Oracle Communications (component: Configuration Management Platform (OpenSSH)). The supported version that is affected is 15.0.0.0.0. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Communications Policy Management executes to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data as well as unauthorized read access to a subset of Oracle Communications Policy Management accessible data. CVSS 3.1 Base Score 3.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-66418 | Vulnerability in the Oracle Communications Cloud Native Core Network Repository Function product of Oracle Communications (component: Signaling (urllib3)). The supported version that is affected is 25.1.204. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Repository Function. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Network Repository Function. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-66418 also addresses CVE-2025-66471. |
| CVE-2025-66418 | Vulnerability in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: ATS Framework (urllib3)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Security Edge Protection Proxy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Security Edge Protection Proxy. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-66418 also addresses CVE-2025-66471. |
| CVE-2025-66418 | Vulnerability in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: Signaling (urllib3)). Supported versions that are affected are 25.1.202 and 25.2.100. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Service Communication Proxy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Service Communication Proxy. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-66418 also addresses CVE-2025-66471. |
| CVE-2025-66418 | Vulnerability in the Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications (component: ATS Framework (urllib3)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Unified Data Repository. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Unified Data Repository. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-66418 also addresses CVE-2025-66471. |
| CVE-2025-66418 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (urllib3)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-66418 also addresses CVE-2025-66471, and CVE-2026-21441. |
| CVE-2025-66516 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Network Repository Function product of Oracle Communications (component: Install (Apache Tika)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-66516 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Install (Apache Tika)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-66566 | Vulnerability in the Oracle Communications BRM - Elastic Charging Engine product of Oracle Communications (component: Security (lz4-java)). Supported versions that are affected are 15.0.0.0-15.0.1.0 and 15.1.0.0-15.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications BRM - Elastic Charging Engine. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications BRM - Elastic Charging Engine accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-66566 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Network Exposure Function product of Oracle Communications (component: Platform (lz4-java)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-66566 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Network Repository Function product of Oracle Communications (component: Signaling (lz4-java)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-66566 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Network Slice Selection Function product of Oracle Communications (component: Install (lz4-java)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-66566 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: Install (lz4-java)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-66566 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications (component: Install (lz4-java)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-66566 | Vulnerability in the Oracle Communications Service Catalog and Design product of Oracle Communications (component: Patch Request (lz4-java)). Supported versions that are affected are 8.0.0.6.0, 8.1.0.5.0 and 8.2.0.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Service Catalog and Design. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Service Catalog and Design accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-67635 | Vulnerability in the Oracle Communications Cloud Native Core Network Slice Selection Function product of Oracle Communications (component: Install (Jenkins)). Supported versions that are affected are 25.1.100 and 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Slice Selection Function. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Network Slice Selection Function. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-67635 also addresses CVE-2025-67636, CVE-2025-67637, CVE-2025-67638, and CVE-2025-67639. |
| CVE-2025-67635 | Vulnerability in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: ATS Framework (Jenkins)). Supported versions that are affected are 25.1.200 and 25.2.100. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Security Edge Protection Proxy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Security Edge Protection Proxy. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-67635 also addresses CVE-2025-67636, CVE-2025-67637, CVE-2025-67638, and CVE-2025-67639. |
| CVE-2025-67635 | Vulnerability in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: Signaling (Jenkins)). Supported versions that are affected are 25.1.202 and 25.2.100. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Service Communication Proxy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Service Communication Proxy. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-67635 also addresses CVE-2025-67636, CVE-2025-67637, CVE-2025-67638, and CVE-2025-67639. |
| CVE-2025-68161 | Vulnerability in the Oracle Communications BRM - Elastic Charging Engine product of Oracle Communications (component: Security issues (Apache Log4j)). Supported versions that are affected are 15.0.0.0-15.0.1.0 and 15.1.0.0-15.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications BRM - Elastic Charging Engine. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications BRM - Elastic Charging Engine accessible data as well as unauthorized read access to a subset of Oracle Communications BRM - Elastic Charging Engine accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Communications Billing and Revenue Management product of Oracle Communications (component: Platform (Apache Log4j)). Supported versions that are affected are 15.0.0.0.0-15.0.1.0.0 and 15.1.0.0.0-15.2.0.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Billing and Revenue Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Billing and Revenue Management accessible data as well as unauthorized read access to a subset of Oracle Communications Billing and Revenue Management accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Communications Convergence product of Oracle Communications (component: Configuration (Apache Log4j)). The supported version that is affected is 3.0.3.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Convergence. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Convergence accessible data as well as unauthorized read access to a subset of Oracle Communications Convergence accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Communications EAGLE Element Management System product of Oracle Communications (component: Security (Apache Log4j)). The supported version that is affected is 47.0.0.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications EAGLE Element Management System. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications EAGLE Element Management System accessible data as well as unauthorized read access to a subset of Oracle Communications EAGLE Element Management System accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Communications Instant Messaging Server product of Oracle Communications (component: Installation (Apache Log4j)). The supported version that is affected is 10.0.1.8.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Instant Messaging Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Instant Messaging Server accessible data as well as unauthorized read access to a subset of Oracle Communications Instant Messaging Server accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Communications Offline Mediation Controller product of Oracle Communications (component: Installation (Apache Log4j)). Supported versions that are affected are 15.0.0.0.0-15.0.1.0.0 and 15.1.0.0.0-15.2.0.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Offline Mediation Controller. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Offline Mediation Controller accessible data as well as unauthorized read access to a subset of Oracle Communications Offline Mediation Controller accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Communications Order and Service Management product of Oracle Communications (component: Security (Apache Log4j)). Supported versions that are affected are 7.5.0 and 8.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Order and Service Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Order and Service Management accessible data as well as unauthorized read access to a subset of Oracle Communications Order and Service Management accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Communications Performance Intelligence Center product of Oracle Communications (component: Management (Apache Log4j)). Supported versions that are affected are 10.5.0.0-10.5.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Performance Intelligence Center. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Performance Intelligence Center accessible data as well as unauthorized read access to a subset of Oracle Communications Performance Intelligence Center accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Communications Policy Management product of Oracle Communications (component: Configuration Management Platform (Apache Log4j)). The supported version that is affected is 15.0.0.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Policy Management accessible data as well as unauthorized read access to a subset of Oracle Communications Policy Management accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache Log4j)). The supported version that is affected is 6.1.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Unified Assurance accessible data as well as unauthorized read access to a subset of Oracle Communications Unified Assurance accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Communications Unified Inventory Management product of Oracle Communications (component: Security Component (Apache Log4j)). Supported versions that are affected are 7.5.0, 7.5.1, 7.6.0, 7.7.0, 7.8.0 and 8.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Communications Unified Inventory Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Unified Inventory Management accessible data as well as unauthorized read access to a subset of Oracle Communications Unified Inventory Management accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Security-in-Depth issue in the Management Cloud Engine product of Oracle Communications (component: Security (Apache Log4j)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-68615 | Vulnerability in the Oracle Communications EAGLE product of Oracle Communications (component: Other (Net-SNMP)). The supported version that is affected is 47.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via UDP to compromise Oracle Communications EAGLE. Successful attacks of this vulnerability can result in takeover of Oracle Communications EAGLE. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-68615 | Vulnerability in the Oracle Communications EAGLE Application Processor product of Oracle Communications (component: Other (Net-SNMP)). The supported version that is affected is 17.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications EAGLE Application Processor. Successful attacks of this vulnerability can result in takeover of Oracle Communications EAGLE Application Processor. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-68615 | Vulnerability in the Oracle Communications EAGLE LNP Application Processor product of Oracle Communications (component: Patches (Net-SNMP)). The supported version that is affected is 11.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications EAGLE LNP Application Processor. Successful attacks of this vulnerability can result in takeover of Oracle Communications EAGLE LNP Application Processor. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-68615 | Vulnerability in the Oracle Communications LSMS product of Oracle Communications (component: Platform (Net-SNMP)). The supported version that is affected is 14.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications LSMS. Successful attacks of this vulnerability can result in takeover of Oracle Communications LSMS. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-68615 | Vulnerability in the Oracle Communications Messaging Server product of Oracle Communications (component: Security (Net-SNMP)). The supported version that is affected is 8.1.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Messaging Server. Successful attacks of this vulnerability can result in takeover of Oracle Communications Messaging Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-68615 | Vulnerability in the Oracle Communications Operations Monitor product of Oracle Communications (component: Developer Infrastructure (Net-SNMP)). Supported versions that are affected are 5.2, 6.0 and 6.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Operations Monitor. Successful attacks of this vulnerability can result in takeover of Oracle Communications Operations Monitor. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-68615 | Vulnerability in the Oracle Communications Policy Management product of Oracle Communications (component: Configuration Management Platform (Net-SNMP)). The supported version that is affected is 15.0.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in takeover of Oracle Communications Policy Management. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-68615 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Net-SNMP)). The supported version that is affected is 7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via UDP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 6.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-68973 | Vulnerability in the Oracle Communications Cloud Native Core Certificate Management product of Oracle Communications (component: Configuration (GnuPG)). The supported version that is affected is 25.1.201. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Communications Cloud Native Core Certificate Management executes to compromise Oracle Communications Cloud Native Core Certificate Management. While the vulnerability is in Oracle Communications Cloud Native Core Certificate Management, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Cloud Native Core Certificate Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Certificate Management accessible data. CVSS 3.1 Base Score 7.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2025-68973 | Vulnerability in the Oracle Communications Cloud Native Core Console product of Oracle Communications (component: Configuration (GnuPG)). The supported version that is affected is 25.1.201. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Communications Cloud Native Core Console executes to compromise Oracle Communications Cloud Native Core Console. While the vulnerability is in Oracle Communications Cloud Native Core Console, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Cloud Native Core Console accessible data as well as unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Console accessible data. CVSS 3.1 Base Score 7.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2025-69223 | Vulnerability in the Oracle Communications Operations Monitor product of Oracle Communications (component: Mediation Engine (AIOHTTP)). Supported versions that are affected are 5.2, 6.0 and 6.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Operations Monitor. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Operations Monitor. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-69223 also addresses CVE-2025-69224, CVE-2025-69225, CVE-2025-69226, CVE-2025-69227, CVE-2025-69228, CVE-2025-69229, and CVE-2025-69230. |
| CVE-2025-6965 | Vulnerability in the Oracle Communications Cloud Native Core Network Exposure Function product of Oracle Communications (component: Platform (SQLite)). The supported version that is affected is 24.2.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Exposure Function. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Network Exposure Function. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-8194 | Vulnerability in the Oracle Communications Cloud Native Core DBTier product of Oracle Communications (component: Configuration (Python)). The supported version that is affected is 25.2.100. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core DBTier. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core DBTier. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-8194 also addresses CVE-2025-6069. |
| CVE-2025-9086 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (curl)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 4.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-9086 also addresses CVE-2025-10148. |
| CVE-2025-9230 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (OpenSSL)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-9230 also addresses CVE-2025-9231, and CVE-2025-9232. |
| CVE-2025-9900 | Vulnerability in the Oracle Communications Cloud Native Core Network Repository Function product of Oracle Communications (component: Signaling (LibTIFF)). The supported version that is affected is 25.1.204. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Repository Function. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Network Repository Function. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-9900 also addresses CVE-2025-8176, CVE-2025-8177, and CVE-2025-8961. |
| CVE-2025-9900 | Vulnerability in the Oracle Communications Cloud Native Core Network Slice Selection Function product of Oracle Communications (component: Install (LibTIFF)). Supported versions that are affected are 25.1.100 and 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Slice Selection Function. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Network Slice Selection Function. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-9900 also addresses CVE-2025-8176, CVE-2025-8177, and CVE-2025-8961. |
| CVE-2025-9900 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: Install (LibTIFF)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-0861 | Vulnerability in the Oracle Communications Cloud Native Core Network Function Cloud Native Environment product of Oracle Communications (component: Configuration (glibc)). Supported versions that are affected are 25.1.200 and 25.2.200. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Communications Cloud Native Core Network Function Cloud Native Environment executes to compromise Oracle Communications Cloud Native Core Network Function Cloud Native Environment. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Network Function Cloud Native Environment. CVSS 3.1 Base Score 8.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-0861 also addresses CVE-2026-0915. |
| CVE-2026-0861 | Vulnerability in the Oracle Communications Unified Inventory Management product of Oracle Communications (component: Third Party (glibc)). Supported versions that are affected are 7.7.0, 7.8.0 and 8.0.0. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Communications Unified Inventory Management executes to compromise Oracle Communications Unified Inventory Management. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Inventory Management. CVSS 3.1 Base Score 8.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-0861 also addresses CVE-2026-0915. |
| CVE-2026-0861 | Vulnerability in the Oracle Enterprise Operations Monitor product of Oracle Communications (component: Mediation Engine (glibc)). The supported version that is affected is 6.1.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Enterprise Operations Monitor executes to compromise Oracle Enterprise Operations Monitor. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Operations Monitor. CVSS 3.1 Base Score 8.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-0861 also addresses CVE-2026-0915. |
| CVE-2026-1642 | Vulnerability in the Oracle Communications Operations Monitor product of Oracle Communications (component: Mediation Engine (nginx)). Supported versions that are affected are 5.2, 6.0 and 6.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Operations Monitor. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Operations Monitor accessible data. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] |
| CVE-2026-21441 | Security-in-Depth issue in the Oracle Communications Cloud Native Core DBTier product of Oracle Communications (component: Install (urllib3)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-21441 | Vulnerability in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Configuration (urllib3)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Policy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Policy. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-21441 | Vulnerability in the Oracle Communications Cloud Native Core Unified Data Repository product of Oracle Communications (component: Install (urllib3)). Supported versions that are affected are 25.1.100 and 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Unified Data Repository. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Unified Data Repository. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-21441 | Vulnerability in the Oracle Communications Policy Management product of Oracle Communications (component: Configuration Management Platform (urllib3)). The supported version that is affected is 15.0.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Policy Management. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-21452 | Vulnerability in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Configuration (MessagePack)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Policy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Policy. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-21637 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Node.js)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via TLS to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 4.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2026-21637 also addresses CVE-2025-55130, CVE-2025-59465, CVE-2025-59466, and CVE-2026-21636. |
| CVE-2026-21945 | Vulnerability in the Oracle Communications Cloud Native Core Certificate Management product of Oracle Communications (component: Oracle Java SE). The supported version that is affected is 25.1.201. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Certificate Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Certificate Management. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-21945 | Vulnerability in the Oracle Communications Cloud Native Core Console product of Oracle Communications (component: Oracle Java SE). The supported version that is affected is 25.1.201. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Console. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Console. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-22022 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache Solr)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data as well as unauthorized update, insert or delete access to some of Oracle Communications Unified Assurance accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). (legend) [Advisory] The patch for CVE-2026-22022 also addresses CVE-2026-22444. |
| CVE-2026-23490 | Vulnerability in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Configuration (pyasn1)). The supported version that is affected is 25.1.202. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Policy. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Communications Cloud Native Core Policy. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-23903 | Vulnerability in the Oracle Communications Element Manager product of Oracle Communications (component: Third Party (Apache Shiro)). Supported versions that are affected are 9.0.0-9.0.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Element Manager. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Communications Element Manager accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory] The patch for CVE-2026-23903 also addresses CVE-2026-23901. |
| CVE-2026-23903 | Vulnerability in the Oracle Communications Session Report Manager product of Oracle Communications (component: Third Party (Apache Shiro)). Supported versions that are affected are 9.0.0-9.0.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Session Report Manager. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Communications Session Report Manager accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory] The patch for CVE-2026-23903 also addresses CVE-2026-23901. |
| CVE-2026-24512 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Network Function Cloud Native Environment product of Oracle Communications (component: Configuration (Ingress NGINX Controller)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-24734 | Vulnerability in the Oracle Communications Element Manager product of Oracle Communications (component: Third Party (Apache Tomcat)). Supported versions that are affected are 9.0.0-9.0.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Element Manager. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Element Manager accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] |
| CVE-2026-24734 | Vulnerability in the Oracle Communications Policy Management product of Oracle Communications (component: Configuration Management Platform (Apache Tomcat)). The supported version that is affected is 15.0.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Policy Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] |
| CVE-2026-24734 | Vulnerability in the Oracle Communications Session Report Manager product of Oracle Communications (component: Third Party (Apache Tomcat)). Supported versions that are affected are 9.0.0-9.0.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Session Report Manager. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Session Report Manager accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] |
| CVE-2026-24734 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Apache Tomcat)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via TLS to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Unified Assurance accessible data. CVSS 3.1 Base Score 4.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N). (legend) [Advisory] The patch for CVE-2026-24734 also addresses CVE-2025-66614, and CVE-2026-24733. |
| CVE-2026-25210 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Binding Support Function product of Oracle Communications (component: Install (LibExpat)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-25210 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Alarms, KPI, and Measurements (LibExpat)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-25210 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (LibExpat)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Communications Unified Assurance executes to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 6.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-25210 also addresses CVE-2026-24515. |
| CVE-2026-25646 | Vulnerability in the Oracle Communications Policy Management product of Oracle Communications (component: Configuration Management Platform (libpng)). The supported version that is affected is 15.0.0.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Policy Management. Successful attacks of this vulnerability can result in takeover of Oracle Communications Policy Management. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-25646 also addresses CVE-2025-64505, CVE-2025-64506, CVE-2025-64720, CVE-2025-65018, CVE-2026-22695, and CVE-2026-22801. |
| CVE-2026-25968 | Vulnerability in the Oracle Communications Operations Monitor product of Oracle Communications (component: Mediation Engine (ImageMagick)). Supported versions that are affected are 5.2, 6.0 and 6.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Operations Monitor. Successful attacks of this vulnerability can result in takeover of Oracle Communications Operations Monitor. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-25968 also addresses CVE-2026-24481, CVE-2026-24484, CVE-2026-24485, CVE-2026-25576, CVE-2026-25637, CVE-2026-25638, CVE-2026-25794, CVE-2026-25795, CVE-2026-25796, CVE-2026-25797, CVE-2026-25798, CVE-2026-25799, CVE-2026-25897, CVE-2026-25898, CVE-2026-25965, CVE-2026-25966, CVE-2026-25967, CVE-2026-25969, CVE-2026-25970, CVE-2026-25971, CVE-2026-25982, CVE-2026-25983, CVE-2026-25985, CVE-2026-25986, CVE-2026-25987, CVE-2026-25988, CVE-2026-25989, CVE-2026-26066, CVE-2026-26283, CVE-2026-26284, CVE-2026-26983, CVE-2026-27798, CVE-2026-27799, CVE-2026-28493, CVE-2026-28494, CVE-2026-28686, CVE-2026-28687, CVE-2026-28688, CVE-2026-28689, CVE-2026-28690, CVE-2026-28691, CVE-2026-28692, CVE-2026-28693, CVE-2026-30883, CVE-2026-30929, CVE-2026-30931, CVE-2026-30935, and CVE-2026-30936. |
| CVE-2026-25990 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Network Slice Selection Function product of Oracle Communications (component: Install (Pillow)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-25990 | Security-in-Depth issue in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: Configuration (Pillow)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-26007 | Vulnerability in the Oracle Communications Cloud Native Core Binding Support Function product of Oracle Communications (component: Install (Cryptography)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Binding Support Function. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Binding Support Function accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-26007 | Vulnerability in the Oracle Communications Cloud Native Core Network Repository Function product of Oracle Communications (component: Signaling (Cryptography)). The supported version that is affected is 25.1.204. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Repository Function. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Network Repository Function accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-26007 | Vulnerability in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Alarms, KPI, and Measurements (Cryptography)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Policy. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Policy accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-26007 | Vulnerability in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: ATS Framework (Cryptography)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Communications Cloud Native Core Security Edge Protection Proxy. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Security Edge Protection Proxy accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-26007 | Vulnerability in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: ATS Framework (Cryptography)). Supported versions that are affected are 25.1.200 and 25.2.100. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Service Communication Proxy. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Cloud Native Core Service Communication Proxy accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-26007 | Vulnerability in the Oracle Communications Operations Monitor product of Oracle Communications (component: Mediation Engine (Cryptography)). Supported versions that are affected are 5.2, 6.0 and 6.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Operations Monitor. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Operations Monitor accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-26007 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Cryptography)). Supported versions that are affected are 6.1.1-7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Communications Unified Assurance accessible data. CVSS 3.1 Base Score 4.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-27099 | Vulnerability in the Oracle Communications Cloud Native Core Binding Support Function product of Oracle Communications (component: Install (Jenkins)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Binding Support Function. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Binding Support Function. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-27099 also addresses CVE-2026-27100. |
| CVE-2026-27099 | Vulnerability in the Oracle Communications Cloud Native Core Network Exposure Function product of Oracle Communications (component: Install (Jenkins)). The supported version that is affected is 24.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Exposure Function. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Network Exposure Function. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-27099 also addresses CVE-2026-27100. |
| CVE-2026-27099 | Vulnerability in the Oracle Communications Cloud Native Core Network Repository Function product of Oracle Communications (component: Install (Jenkins)). The supported version that is affected is 25.1.204. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Network Repository Function. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Network Repository Function. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-27099 also addresses CVE-2025-67635, and CVE-2026-27100. |
| CVE-2026-27099 | Vulnerability in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Alarms, KPI, and Measurements (Jenkins)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Policy. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Policy. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-27099 also addresses CVE-2026-27100. |
| CVE-2026-27099 | Vulnerability in the Oracle Communications Cloud Native Core Security Edge Protection Proxy product of Oracle Communications (component: Automated Test Suite (Jenkins)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Security Edge Protection Proxy. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Security Edge Protection Proxy. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-27099 also addresses CVE-2026-27100. |
| CVE-2026-27099 | Vulnerability in the Oracle Communications Cloud Native Core Service Communication Proxy product of Oracle Communications (component: ATS Framework (Jenkins)). Supported versions that are affected are 25.1.200 and 25.2.100. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Service Communication Proxy. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Cloud Native Core Service Communication Proxy. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-27099 also addresses CVE-2026-27100. |
| CVE-2026-3288 | Vulnerability in the Oracle Communications Unified Assurance product of Oracle Communications (component: Core (Ingress NGINX Controller)). The supported version that is affected is 7.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Unified Assurance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Communications Unified Assurance. CVSS 3.1 Base Score 6.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-3288 also addresses CVE-2026-24512. |
| CVE-2026-33870 | Vulnerability in the Oracle Communications Cloud Native Core Policy product of Oracle Communications (component: Install (Netty)). The supported version that is affected is 25.1.200. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Cloud Native Core Policy. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Communications Cloud Native Core Policy accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Construction and Engineering
This table provides the text form of the Risk Matrix for Oracle Construction and Engineering.
| CVE ID | Description |
|---|---|
| CVE-2025-26791 | Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: P6WS (DOMPurify)). Supported versions that are affected are 21.12.0.0-21.12.21.6, 22.12.0.0-22.12.21.1, 23.12.0.0-23.12.18.0, 24.12.0.0-24.12.13.0 and 25.12.0.0-25.12.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N). (legend) [Advisory] |
| CVE-2025-48795 | Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: P6 Web Services (Apache CXF)). Supported versions that are affected are 24.12.0.0-24.12.13.0 and 25.12.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Primavera P6 Enterprise Project Portfolio Management. CVSS 3.1 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] The patch for CVE-2025-48795 also addresses CVE-2025-23184. |
| CVE-2025-52999 | Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access (jackson-core)). Supported versions that are affected are 21.12.0.0-21.12.21.6, 22.12.0.0-22.12.21.1, 23.12.0.0-23.12.18.0, 24.12.0.0-24.12.13.0 and 25.12.0.0-25.12.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Primavera P6 Enterprise Project Portfolio Management. CVSS 3.1 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Platform (Apache Log4j)). Supported versions that are affected are 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.16, 24.12.0-24.12.13 and 25.12.0-25.12.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera Unifier accessible data as well as unauthorized read access to a subset of Primavera Unifier accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle E-Business Suite
This table provides the text form of the Risk Matrix for Oracle E-Business Suite.
| CVE ID | Description |
|---|---|
| CVE-2024-51504 | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core (Apache ZooKeeper)). The supported version that is affected is 15.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Enterprise Command Center Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). (legend) [Advisory] |
| CVE-2025-31672 | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: ECC Core (Apache POI)). The supported version that is affected is 15.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (legend) [Advisory] |
| CVE-2025-41242 | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: ECC Core (Spring Framework)). The supported version that is affected is 15.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] The patch for CVE-2025-41242 also addresses CVE-2024-38820, and CVE-2025-22233. |
| CVE-2025-48734 | Vulnerability in the Oracle Advanced Supply Chain Planning product of Oracle E-Business Suite (component: User Interface (Apache Commons BeanUtils)). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Supply Chain Planning. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Supply Chain Planning. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-48734 | Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suite (component: Security (Apache Commons BeanUtils)). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Flow Manufacturing. Successful attacks of this vulnerability can result in takeover of Oracle Flow Manufacturing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-48734 | Vulnerability in the Oracle Global Order Promising product of Oracle E-Business Suite (component: Web Service (Apache Commons BeanUtils)). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Global Order Promising. Successful attacks of this vulnerability can result in takeover of Oracle Global Order Promising. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-48734 | Vulnerability in the Oracle Rapid Planning product of Oracle E-Business Suite (component: User Interface (Apache Commons BeanUtils)). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Rapid Planning. Successful attacks of this vulnerability can result in takeover of Oracle Rapid Planning. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-48734 | Vulnerability in the Oracle Yard Management product of Oracle E-Business Suite (component: Installation (Apache Commons BeanUtils)). Supported versions that are affected are 12.2.4-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Yard Management. Successful attacks of this vulnerability can result in takeover of Oracle Yard Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-48734 | Vulnerability in the Oracle iProcurement product of Oracle E-Business Suite (component: iProcurement ECC shopping (Apache Commons BeanUtils)). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iProcurement. Successful attacks of this vulnerability can result in takeover of Oracle iProcurement. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-58057 | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: ECC Core (Netty)). The supported version that is affected is 15.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-58057 also addresses CVE-2023-44981, CVE-2024-13009, CVE-2024-23944, CVE-2024-47535, CVE-2024-51504, CVE-2024-6763, CVE-2025-24970, and CVE-2025-25193. |
| CVE-2025-68161 | Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: ECC Core (Apache Log4j)). The supported version that is affected is 15.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Enterprise Command Center Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Enterprise Command Center Framework accessible data as well as unauthorized read access to a subset of Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-22011 | Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: ADPatch). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications DBA, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Applications DBA. CVSS 3.1 Base Score 7.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-22014 | Vulnerability in the Oracle User Management product of Oracle E-Business Suite (component: Workflow and Business Events). Supported versions that are affected are 12.2.7-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle User Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle User Management accessible data as well as unauthorized read access to a subset of Oracle User Management accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-34274 | Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Configurator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Configurator accessible data as well as unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-34275 | Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: Setup and Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Inbound Telephony. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Inbound Telephony. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-34297 | Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Knowledge Integration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HCM Common Architecture. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle HCM Common Architecture accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34298 | Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Applications Framework. CVSS 3.1 Base Score 4.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2026-34302 | Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Enterprise Manager
This table provides the text form of the Risk Matrix for Oracle Enterprise Manager.
| CVE ID | Description |
|---|---|
| CVE-2024-56406 | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Agent Next Gen (Perl)). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data and unauthorized read access to a subset of Oracle Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). (legend) [Advisory] |
| CVE-2024-56406 | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Manager Install (Perl)). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data and unauthorized read access to a subset of Oracle Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). (legend) [Advisory] |
| CVE-2025-26333 | Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load Testing for Web Apps (BSAFE Crypto-J)). The supported version that is affected is 13.3.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Application Testing Suite. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Testing Suite accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41249 | Vulnerability in the Oracle Enterprise Manager for Fusion Middleware product of Oracle Enterprise Manager (component: Infrastructure Management (Spring Framework)). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager for Fusion Middleware. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Manager for Fusion Middleware accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-52999 | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Security Framework (jackson-core)). The supported version that is affected is 13.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Configuration Manager product of Oracle Enterprise Manager (component: OCM Request Tunnel (Apache Log4j)). Supported versions that are affected are 13.5 and 24.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Configuration Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Configuration Manager accessible data as well as unauthorized read access to a subset of Oracle Configuration Manager accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Enterprise Manager Install (Apache Log4j)). Supported versions that are affected are 13.5 and 24.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Oracle Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Oracle Management Service (Apache Log4j)). Supported versions that are affected are 13.5 and 24.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Oracle Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-34279 | Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Financial Services Applications
This table provides the text form of the Risk Matrix for Oracle Financial Services Applications.
| CVE ID | Description |
|---|---|
| CVE-2021-28168 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform (Eclipse Jersey)). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Financial Services Analytical Applications Infrastructure executes to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 5.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2023-20863 | Vulnerability in the Oracle Insurance Policy Administration Operational Data Store for Life and Annuity product of Oracle Financial Services Applications (component: Logger (Spring Framework)). The supported version that is affected is 1.0.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Insurance Policy Administration Operational Data Store for Life and Annuity. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Insurance Policy Administration Operational Data Store for Life and Annuity. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2023-34034 | Vulnerability in the Oracle Banking Origination product of Oracle Financial Services Applications (component: Onboarding Batch Processes (Spring Security)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Origination. Successful attacks of this vulnerability can result in takeover of Oracle Banking Origination. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2023-34034 also addresses CVE-2023-20862, and CVE-2023-34035. |
| CVE-2023-44981 | Vulnerability in the Oracle Banking Corporate Lending Process Management product of Oracle Financial Services Applications (component: Base (Apache ZooKeeper)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Corporate Lending Process Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Corporate Lending Process Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Corporate Lending Process Management accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2023-44981 | Vulnerability in the Oracle Banking Supply Chain Finance product of Oracle Financial Services Applications (component: Security (Apache ZooKeeper)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Supply Chain Finance. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Supply Chain Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Supply Chain Finance accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2023-44981 | Vulnerability in the Oracle Banking Trade Finance Process Management product of Oracle Financial Services Applications (component: Common (Apache ZooKeeper)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Trade Finance Process Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance Process Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance Process Management accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2025-12183 | Vulnerability in the Oracle Banking Liquidity Management product of Oracle Financial Services Applications (component: Infrastructure (lz4-java)). The supported version that is affected is 14.8.0.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Banking Liquidity Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Liquidity Management accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Liquidity Management. CVSS 3.1 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H). (legend) [Advisory] |
| CVE-2025-1948 | Vulnerability in the Oracle Banking Origination product of Oracle Financial Services Applications (component: Configuration (Eclipse Jetty)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle Banking Origination. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Origination. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-27636 | Vulnerability in the Oracle Banking Virtual Account Management product of Oracle Financial Services Applications (component: Platform (Apache Camel)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Banking Virtual Account Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Virtual Account Management accessible data as well as unauthorized read access to a subset of Oracle Banking Virtual Account Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Banking Virtual Account Management. CVSS 3.1 Base Score 4.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-27817 | Vulnerability in the Oracle Banking Corporate Lending Process Management product of Oracle Financial Services Applications (component: Base (Apache Kafka)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Banking Corporate Lending Process Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Corporate Lending Process Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] The patch for CVE-2025-27817 also addresses CVE-2025-27818. |
| CVE-2025-27817 | Vulnerability in the Oracle Banking Credit Facilities Process Management product of Oracle Financial Services Applications (component: Common (Apache Kafka)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Banking Credit Facilities Process Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Credit Facilities Process Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] The patch for CVE-2025-27817 also addresses CVE-2025-27818. |
| CVE-2025-27817 | Vulnerability in the Oracle Banking Origination product of Oracle Financial Services Applications (component: Configuration (Apache Kafka)). Supported versions that are affected are 14.6.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Banking Origination. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Origination accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] The patch for CVE-2025-27817 also addresses CVE-2025-27818. |
| CVE-2025-27817 | Vulnerability in the Oracle Banking Supply Chain Finance product of Oracle Financial Services Applications (component: Security (Apache Kafka)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Banking Supply Chain Finance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Supply Chain Finance accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] The patch for CVE-2025-27817 also addresses CVE-2025-27818. |
| CVE-2025-27817 | Vulnerability in the Oracle Banking Trade Finance Process Management product of Oracle Financial Services Applications (component: Dashboard (Apache Kafka)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Banking Trade Finance Process Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Trade Finance Process Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] The patch for CVE-2025-27817 also addresses CVE-2025-27818. |
| CVE-2025-27817 | Vulnerability in the Oracle Banking Virtual Account Management product of Oracle Financial Services Applications (component: Core (Apache Kafka)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Virtual Account Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Virtual Account Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] The patch for CVE-2025-27817 also addresses CVE-2025-27818. |
| CVE-2025-27820 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform (Apache HttpClient)). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] |
| CVE-2025-27820 | Vulnerability in the Oracle Financial Services Regulatory Reporting product of Oracle Financial Services Applications (component: Installer (Apache HttpClient)). Supported versions that are affected are 8.1.2.10 and 8.1.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Regulatory Reporting. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Financial Services Regulatory Reporting accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] |
| CVE-2025-27821 | Vulnerability in the Oracle Financial Services Model Management and Governance product of Oracle Financial Services Applications (component: Installer (Apache Hadoop)). The supported version that is affected is 8.1.2.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Model Management and Governance. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Model Management and Governance accessible data as well as unauthorized read access to a subset of Oracle Financial Services Model Management and Governance accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Financial Services Model Management and Governance. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-41248 | Vulnerability in the Oracle Banking Branch product of Oracle Financial Services Applications (component: Reports (Spring Security)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Branch. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Branch accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41249 | Vulnerability in the Oracle Banking Branch product of Oracle Financial Services Applications (component: Reports (Spring Framework)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Branch. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Branch accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41249 | Vulnerability in the Oracle Banking Cash Management product of Oracle Financial Services Applications (component: Accessibility (Spring Framework)). The supported version that is affected is 14.8.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Cash Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Cash Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41249 | Vulnerability in the Oracle Banking Corporate Lending product of Oracle Financial Services Applications (component: Core (Spring Framework)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Corporate Lending. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Corporate Lending accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41249 | Vulnerability in the Oracle Banking Corporate Lending Process Management product of Oracle Financial Services Applications (component: Base (Spring Framework)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Corporate Lending Process Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Corporate Lending Process Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41249 | Vulnerability in the Oracle Banking Origination product of Oracle Financial Services Applications (component: Configuration (Spring Framework)). Supported versions that are affected are 14.6.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Origination. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Origination accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41249 | Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Core (Spring Framework)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41249 | Vulnerability in the Oracle Banking Virtual Account Management product of Oracle Financial Services Applications (component: Common Core (Spring Framework)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Virtual Account Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Virtual Account Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] The patch for CVE-2025-41249 also addresses CVE-2025-22233, and CVE-2025-41242. |
| CVE-2025-41249 | Vulnerability in the Oracle Documaker product of Oracle Financial Services Applications (component: Documaker Core (Spring Framework)). Supported versions that are affected are 12.7.2-13.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Documaker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Documaker accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41254 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform (Spring Framework)). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). (legend) [Advisory] |
| CVE-2025-46392 | Vulnerability in the Oracle Banking Virtual Account Management product of Oracle Financial Services Applications (component: Common Core (Apache Commons Configuration)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Banking Virtual Account Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Virtual Account Management. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-48734 | Vulnerability in the Oracle Banking Corporate Lending Process Management product of Oracle Financial Services Applications (component: Base (Apache Commons BeanUtils)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Corporate Lending Process Management. Successful attacks of this vulnerability can result in takeover of Oracle Banking Corporate Lending Process Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-48734 | Vulnerability in the Oracle Banking Origination product of Oracle Financial Services Applications (component: Configuration (Apache Commons BeanUtils)). Supported versions that are affected are 14.6.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Origination. Successful attacks of this vulnerability can result in takeover of Oracle Banking Origination. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-48734 | Vulnerability in the Oracle Insurance Policy Administration Operational Data Store for Life and Annuity product of Oracle Financial Services Applications (component: Logger (Apache Commons BeanUtils)). The supported version that is affected is 1.0.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Insurance Policy Administration Operational Data Store for Life and Annuity. Successful attacks of this vulnerability can result in takeover of Oracle Insurance Policy Administration Operational Data Store for Life and Annuity. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-48924 | Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Core (Apache Commons Lang)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Banking Trade Finance. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-48924 | Vulnerability in the Oracle Banking Virtual Account Management product of Oracle Financial Services Applications (component: Common Core (Apache Commons Lang)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Virtual Account Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Banking Virtual Account Management. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-48924 | Vulnerability in the Oracle Banking Virtual Account Management product of Oracle Financial Services Applications (component: Platform (Apache Commons Lang)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Virtual Account Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Banking Virtual Account Management. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-48924 | Vulnerability in the Oracle Documaker product of Oracle Financial Services Applications (component: Documaker Core (Apache Commons Lang)). Supported versions that are affected are 12.7.2-13.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Documaker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Documaker. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-48924 | Vulnerability in the Oracle Financial Services Lending and Leasing product of Oracle Financial Services Applications (component: Apache Commons (Apache Commons Lang)). Supported versions that are affected are 14.8.0.0.0 and 14.10.0.0.0-14.12.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Lending and Leasing. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Financial Services Lending and Leasing. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-48976 | Vulnerability in the Oracle Banking Collections and Recovery product of Oracle Financial Services Applications (component: Infrastructure (Apache Commons FileUpload)). Supported versions that are affected are 14.6.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Collections and Recovery. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Collections and Recovery. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-48976 | Vulnerability in the Oracle Banking Corporate Lending Process Management product of Oracle Financial Services Applications (component: Core (Apache Commons FileUpload)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Corporate Lending Process Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Corporate Lending Process Management. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-48976 | Vulnerability in the Oracle Banking Credit Facilities Process Management product of Oracle Financial Services Applications (component: Common (Apache Commons FileUpload)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Credit Facilities Process Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Credit Facilities Process Management. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-48976 | Vulnerability in the Oracle Banking Origination product of Oracle Financial Services Applications (component: Configuration (Apache Commons FileUpload)). Supported versions that are affected are 14.6.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Origination. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Origination. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-48976 | Vulnerability in the Oracle Banking Supply Chain Finance product of Oracle Financial Services Applications (component: Security (Apache Commons FileUpload)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Supply Chain Finance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Supply Chain Finance. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-48976 | Vulnerability in the Oracle Banking Trade Finance Process Management product of Oracle Financial Services Applications (component: Dashboard (Apache Commons FileUpload)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Trade Finance Process Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Trade Finance Process Management. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-48976 | Vulnerability in the Oracle Banking Virtual Account Management product of Oracle Financial Services Applications (component: Core (Apache Commons FileUpload)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Virtual Account Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Virtual Account Management. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-48976 | Vulnerability in the Oracle Banking Virtual Account Management product of Oracle Financial Services Applications (component: Platform (Apache Commons FileUpload)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Banking Virtual Account Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Virtual Account Management. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-48976 | Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral Management product of Oracle Financial Services Applications (component: Infrastructure (Apache Commons FileUpload)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Enterprise Limits and Collateral Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle FLEXCUBE Enterprise Limits and Collateral Management. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-5115 | Vulnerability in the Oracle Banking Credit Facilities Process Management product of Oracle Financial Services Applications (component: Common (Eclipse Jetty)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle Banking Credit Facilities Process Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Credit Facilities Process Management. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-55163 | Vulnerability in the Oracle Banking Origination product of Oracle Financial Services Applications (component: Configuration (Netty)). Supported versions that are affected are 14.6.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle Banking Origination. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Origination. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-55163 | Vulnerability in the Oracle Banking Payments product of Oracle Financial Services Applications (component: Payments (Netty)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle Banking Payments. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Payments. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-55163 | Vulnerability in the Oracle Banking Trade Finance Process Management product of Oracle Financial Services Applications (component: Dashboard (Netty)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle Banking Trade Finance Process Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Trade Finance Process Management. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-55163 | Vulnerability in the Oracle Banking Virtual Account Management product of Oracle Financial Services Applications (component: Core (Netty)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle Banking Virtual Account Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Virtual Account Management. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-58057 | Vulnerability in the Oracle Banking Virtual Account Management product of Oracle Financial Services Applications (component: Platform (Netty)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Banking Virtual Account Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Banking Virtual Account Management. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-58057 also addresses CVE-2025-58056. |
| CVE-2025-66516 | Security-in-Depth issue in the Oracle Banking Liquidity Management product of Oracle Financial Services Applications (component: Common (Apache Tika)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-66516 | Security-in-Depth issue in the Oracle Banking Virtual Account Management product of Oracle Financial Services Applications (component: Platform (Apache Tika)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-66566 | Vulnerability in the Oracle Banking Branch product of Oracle Financial Services Applications (component: Reports (lz4-java)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Branch. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Branch accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-66566 | Vulnerability in the Oracle Banking Cash Management product of Oracle Financial Services Applications (component: Common (lz4-java)). The supported version that is affected is 14.8.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Cash Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Cash Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-66566 | Vulnerability in the Oracle Banking Corporate Lending Process Management product of Oracle Financial Services Applications (component: Base (lz4-java)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Corporate Lending Process Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Corporate Lending Process Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-66566 | Vulnerability in the Oracle Banking Origination product of Oracle Financial Services Applications (component: Configuration (lz4-java)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Origination. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Banking Origination accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-67735 | Vulnerability in the Oracle Banking Liquidity Management product of Oracle Financial Services Applications (component: Infrastructure (Netty)). The supported version that is affected is 14.8.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Liquidity Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Liquidity Management accessible data as well as unauthorized read access to a subset of Oracle Banking Liquidity Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Banking Virtual Account Management product of Oracle Financial Services Applications (component: Platform (Apache Log4j)). Supported versions that are affected are 14.5.0.0.0-14.8.0.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Banking Virtual Account Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Banking Virtual Account Management accessible data as well as unauthorized read access to a subset of Oracle Banking Virtual Account Management accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform (Apache Log4j)). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized read access to a subset of Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Financial Services Behavior Detection Platform product of Oracle Financial Services Applications (component: Third Party (Apache Log4j)). Supported versions that are affected are 8.0.8.1, 8.1.2.10 and 8.1.2.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Financial Services Behavior Detection Platform. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Behavior Detection Platform accessible data as well as unauthorized read access to a subset of Oracle Financial Services Behavior Detection Platform accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Financial Services Enterprise Case Management product of Oracle Financial Services Applications (component: Installers (Apache Log4j)). Supported versions that are affected are 8.0.8.2, 8.1.2.10 and 8.1.2.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Financial Services Enterprise Case Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Enterprise Case Management accessible data as well as unauthorized read access to a subset of Oracle Financial Services Enterprise Case Management accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Financial Services Model Management and Governance product of Oracle Financial Services Applications (component: Installer (Apache Log4j)). The supported version that is affected is 8.1.2.7. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Financial Services Model Management and Governance. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Model Management and Governance accessible data as well as unauthorized read access to a subset of Oracle Financial Services Model Management and Governance accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition product of Oracle Financial Services Applications (component: Platform (Apache Log4j)). The supported version that is affected is 8.0.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Insurance Policy Administration J2EE product of Oracle Financial Services Applications (component: Architecture (Apache Log4j)). Supported versions that are affected are 11.3.1.0, 11.3.2.0, 12.0.5.0 and 12.1.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Insurance Policy Administration J2EE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Insurance Policy Administration J2EE accessible data as well as unauthorized read access to a subset of Oracle Insurance Policy Administration J2EE accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-22010 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-25210 | Vulnerability in the Oracle Financial Services Behavior Detection Platform product of Oracle Financial Services Applications (component: Third Party (LibExpat)). Supported versions that are affected are 8.0.8.1, 8.1.2.10 and 8.1.2.11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Financial Services Behavior Detection Platform executes to compromise Oracle Financial Services Behavior Detection Platform. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Behavior Detection Platform. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-25210 also addresses CVE-2026-24515. |
| CVE-2026-25210 | Vulnerability in the Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition product of Oracle Financial Services Applications (component: Platform (LibExpat)). The supported version that is affected is 8.0.8. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition executes to compromise Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-25210 also addresses CVE-2026-24515. |
| CVE-2026-25990 | Vulnerability in the Oracle Financial Services Compliance Studio product of Oracle Financial Services Applications (component: Reports (Pillow)). The supported version that is affected is 8.1.2.9. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Compliance Studio. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Compliance Studio. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34310 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34313 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34314 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 6.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2026-34320 | Vulnerability in the Oracle Financial Services Customer Screening product of Oracle Financial Services Applications (component: User Interface). The supported version that is affected is 8.1.2.8.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Customer Screening. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Customer Screening accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34321 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: User Interface). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34325 | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: User Interface). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Financial Services Analytical Applications Infrastructure executes to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Financial Services Analytical Applications Infrastructure. CVSS 3.1 Base Score 6.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:H). (legend) [Advisory] |
| CVE-2026-35231 | Vulnerability in the Oracle Financial Services Transaction Filtering product of Oracle Financial Services Applications (component: User Interface). The supported version that is affected is 8.1.2.8.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Transaction Filtering. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Transaction Filtering accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Fusion Middleware
This table provides the text form of the Risk Matrix for Oracle Fusion Middleware.
| CVE ID | Description |
|---|---|
| CVE-2021-22573 | Vulnerability in the Oracle Middleware Common Libraries and Tools product of Oracle Fusion Middleware (component: Third Party (Google OAuth Client)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Middleware Common Libraries and Tools. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Middleware Common Libraries and Tools accessible data as well as unauthorized access to critical data or complete access to all Oracle Middleware Common Libraries and Tools accessible data. CVSS 3.1 Base Score 7.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2021-45046 | Vulnerability in the Oracle Business Activity Monitoring product of Oracle Fusion Middleware (component: Centralized Thirdparty Jars (Apache Log4j)). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Activity Monitoring. While the vulnerability is in Oracle Business Activity Monitoring, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Business Activity Monitoring. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2021-45046 also addresses CVE-2025-48924. |
| CVE-2022-45047 | Vulnerability in the Oracle Managed File Transfer product of Oracle Fusion Middleware (component: Runtime Server (Apache Mina SSHD)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSH to compromise Oracle Managed File Transfer. Successful attacks of this vulnerability can result in takeover of Oracle Managed File Transfer. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2022-45047 also addresses CVE-2023-48795. |
| CVE-2023-2976 | Vulnerability in the Oracle Managed File Transfer product of Oracle Fusion Middleware (component: Oracle MFT Installer (Google Guava)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Managed File Transfer executes to compromise Oracle Managed File Transfer. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Managed File Transfer accessible data as well as unauthorized access to critical data or complete access to all Oracle Managed File Transfer accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2024-13009 | Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Third Party (jackson-databind)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. While the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Identity Manager accessible data as well as unauthorized read access to a subset of Oracle Identity Manager accessible data. CVSS 3.1 Base Score 7.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2024-29857 | Vulnerability in the Oracle SOA Suite product of Oracle Fusion Middleware (component: B2B Engine (Bouncy Castle Java Library)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle SOA Suite. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle SOA Suite. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2024-29857 also addresses CVE-2025-8885. |
| CVE-2024-31573 | Vulnerability in the Oracle SOA Suite product of Oracle Fusion Middleware (component: Fabric Layer (xmlunit)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle SOA Suite executes to compromise Oracle SOA Suite. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle SOA Suite accessible data as well as unauthorized read access to a subset of Oracle SOA Suite accessible data. CVSS 3.1 Base Score 4.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2024-43394 | Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core (Apache HTTP Server)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. Note: This vulnerability applies to Windows only. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-0725 | Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Web Server Plugin (curl)). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Access Manager. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-12383 | Vulnerability in the Oracle SOA Suite product of Oracle Fusion Middleware (component: B2B Engine (Eclipse Jersey)). The supported version that is affected is 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle SOA Suite. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle SOA Suite accessible data as well as unauthorized access to critical data or complete access to all Oracle SOA Suite accessible data. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2025-14017 | Security-in-Depth issue in the Oracle HTTP Server product of Oracle Fusion Middleware (component: ModSecurity (curl)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-31672 | Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces (Apache POI)). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (legend) [Advisory] |
| CVE-2025-33042 | Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Composer (Apache Avro)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business Process Management Suite. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-33042 | Vulnerability in the Oracle Middleware Common Libraries and Tools product of Oracle Fusion Middleware (component: Third Party (Apache Avro)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Middleware Common Libraries and Tools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Middleware Common Libraries and Tools accessible data as well as unauthorized read access to a subset of Oracle Middleware Common Libraries and Tools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Middleware Common Libraries and Tools. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-33042 | Vulnerability in the Oracle SOA Suite product of Oracle Fusion Middleware (component: Adapters (Apache Avro)). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle SOA Suite. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle SOA Suite accessible data as well as unauthorized read access to a subset of Oracle SOA Suite accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle SOA Suite. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-35036 | Vulnerability in the Oracle Middleware Common Libraries and Tools product of Oracle Fusion Middleware (component: Third Party (Validator)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Middleware Common Libraries and Tools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Middleware Common Libraries and Tools accessible data as well as unauthorized read access to a subset of Oracle Middleware Common Libraries and Tools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Middleware Common Libraries and Tools. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-35036 | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized Thirdparty Jars (Validator)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-41249 | Vulnerability in the Oracle WebCenter Forms Recognition product of Oracle Fusion Middleware (component: Learnset Manager (Spring Framework)). The supported version that is affected is 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Forms Recognition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Forms Recognition accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-41254 | Vulnerability in the Oracle Middleware Common Libraries and Tools product of Oracle Fusion Middleware (component: Third Party (Spring Web Services)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Middleware Common Libraries and Tools. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Middleware Common Libraries and Tools accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). (legend) [Advisory] |
| CVE-2025-46392 | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized Thirdparty Jars (Apache Commons Lang)). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-46392 also addresses CVE-2025-48924. |
| CVE-2025-48924 | Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Composer (Apache Commons Lang)). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business Process Management Suite. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-48924 | Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces (Apache Commons Lang)). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-48924 | Vulnerability in the Oracle Middleware Common Libraries and Tools product of Oracle Fusion Middleware (component: Third Party (Apache Commons Lang)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Middleware Common Libraries and Tools. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Middleware Common Libraries and Tools. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-48924 | Vulnerability in the Oracle Web Services Manager product of Oracle Fusion Middleware (component: Third Party (Apache Commons Lang)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Services Manager. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Web Services Manager. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-52999 | Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Document Service (jackson-core)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Business Process Management Suite. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-53864 | Vulnerability in the Oracle Data Integrator product of Oracle Fusion Middleware (component: Security (Nimbus JOSE+JWT)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Data Integrator. While the vulnerability is in Oracle Data Integrator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Data Integrator. CVSS 3.1 Base Score 5.8 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-58098 | Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core (Apache HTTP Server)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle HTTP Server. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). (legend) [Advisory] The patch for CVE-2025-58098 also addresses CVE-2025-54090. |
| CVE-2025-59775 | Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core (Apache HTTP Server)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. Note: This vulnerability applies to Windows only. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-65082 | Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core (Apache HTTP Server)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data as well as unauthorized read access to a subset of Oracle HTTP Server accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Runtime Engine (Apache Log4j)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Data Integrator product of Oracle Fusion Middleware (component: Security (Apache Log4j)). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Data Integrator. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Data Integrator accessible data as well as unauthorized read access to a subset of Oracle Data Integrator accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Installer (Apache Log4j)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Identity Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Identity Manager accessible data as well as unauthorized read access to a subset of Oracle Identity Manager accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Managed File Transfer product of Oracle Fusion Middleware (component: MFT Runtime Server (Apache Log4j)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Managed File Transfer. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Managed File Transfer accessible data as well as unauthorized read access to a subset of Oracle Managed File Transfer accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Middleware Common Libraries and Tools product of Oracle Fusion Middleware (component: Thirdparty Patch (Apache Log4j)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Middleware Common Libraries and Tools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Middleware Common Libraries and Tools accessible data as well as unauthorized read access to a subset of Oracle Middleware Common Libraries and Tools accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Thick Client (Apache Log4j)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data as well as unauthorized read access to a subset of Oracle WebCenter Sites accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized Third Party Jars (Apache Log4j)). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68431 | Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: DC-Specific Component (libheif)). The supported version that is affected is 8.5.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Outside In Technology and unauthorized read access to a subset of Oracle Outside In Technology accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H). (legend) [Advisory] |
| CVE-2025-68615 | Vulnerability in the Oracle Tuxedo product of Oracle Fusion Middleware (component: Docs-ATMI-IB (Net-SNMP)). Supported versions that are affected are 22.1.0 and 22.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via UDP to compromise Oracle Tuxedo. Successful attacks of this vulnerability can result in takeover of Oracle Tuxedo. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-8916 | Vulnerability in the Oracle Middleware Common Libraries and Tools product of Oracle Fusion Middleware (component: Thirdparty Patch (Bouncy Castle Java Library)). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Middleware Common Libraries and Tools. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Middleware Common Libraries and Tools. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-8916 | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized Thirdparty Jars (Bouncy Castle Java Library)). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2026-21939 | Vulnerability in Oracle Fusion Middleware (component: Oracle Database Client for Fusion Middleware). The supported version that is affected is 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Fusion Middleware executes to compromise Oracle Fusion Middleware. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Fusion Middleware. CVSS 3.1 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-22184 | Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Outside In Maintenance (zlib)). The supported version that is affected is 8.5.8. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Outside In Technology executes to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in takeover of Oracle Outside In Technology. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-25210 | Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: DC-Specific Component (LibExpat)). The supported version that is affected is 8.5.8. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Outside In Technology executes to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in takeover of Oracle Outside In Technology. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-25210 also addresses CVE-2026-24515. |
| CVE-2026-25646 | Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: DC-Specific Component (libpng)). The supported version that is affected is 8.5.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in takeover of Oracle Outside In Technology. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-34283 | Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Identity Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Identity Manager accessible data as well as unauthorized read access to a subset of Oracle Identity Manager accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-34284 | Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Human workflow 11g+). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Process Management Suite, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-34285 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2026-34286 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2026-34287 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2026-34288 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34289 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34290 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Identity Manager Connector. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34291 | Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. While the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2026-34292 | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-34294 | Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Microsoft Active Directory). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows low privileged attacker with network access via LDAP to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized read access to a subset of Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N). (legend) [Advisory] |
| CVE-2026-34305 | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34315 | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N). (legend) [Advisory] |
| CVE-2026-35232 | Vulnerability in Oracle Fusion Middleware (component: Dynamic Monitoring Service). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Fusion Middleware. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Fusion Middleware, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Fusion Middleware accessible data as well as unauthorized read access to a subset of Oracle Fusion Middleware accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-35243 | Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-35252 | Vulnerability in the Oracle Security Service product of Oracle Fusion Middleware (component: C Oracle SSL API). Supported versions that are affected are 12.2.1.4.0 and 12.1.3.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Security Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Security Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Security Service accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Analytics
This table provides the text form of the Risk Matrix for Oracle Analytics.
| CVE ID | Description |
|---|---|
| CVE-2021-28168 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Platform Security (Eclipse Jersey)). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 5.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2023-35116 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Platform Security (jackson-databind)). The supported version that is affected is 8.2.0.0.0. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 4.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2023-52428 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Platform Security (Nimbus JOSE+JWT)). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-15467 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: BI Platform Security (OpenSSL)). The supported version that is affected is 8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-15467 also addresses CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, and CVE-2026-22796. |
| CVE-2025-24970 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Analytics Server (Netty)). The supported version that is affected is 8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-33042 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Platform Security (Apache Avro)). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2025-46762 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Platform Security (Apache Parquet Java)). The supported version that is affected is 8.2.0.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-48734 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Platform Security (Apache Commons BeanUtils)). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2025-48924 | Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: BI Publisher Microservice (Apache Commons Lang)). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle BI Publisher. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-58057 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Platform Security (Netty)). The supported version that is affected is 8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-58057 also addresses CVE-2025-55163, and CVE-2025-58056. |
| CVE-2025-59419 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Platform Security (netty-codec-smtp)). The supported version that is affected is 8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via SMTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Analytics Server (Apache Log4j)). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-21441 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Pipeline Test Failures (urllib3)). The supported version that is affected is 8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-27727 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Platform Security (Mchange Commons Java)). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-27830 | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Platform Security (c3p0)). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. While the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Life Science Applications
This table provides the text form of the Risk Matrix for Oracle Life Science Applications.
| CVE ID | Description |
|---|---|
| CVE-2025-68161 | Vulnerability in the Oracle Life Sciences Empirica Signal product of Oracle Life Science Applications (component: Common Core (Apache Log4j)). Supported versions that are affected are 9.2.1-9.2.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Life Sciences Empirica Signal. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Empirica Signal accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Empirica Signal accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-21997 | Vulnerability in the Oracle Life Sciences Empirica Signal product of Oracle Life Science Applications (component: Common Core). Supported versions that are affected are 9.2.1-9.2.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Life Sciences Empirica Signal. While the vulnerability is in Oracle Life Sciences Empirica Signal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Life Sciences Empirica Signal accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Empirica Signal accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N). (legend) [Advisory] |
| CVE-2026-34323 | Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: IDM Authentication). Supported versions that are affected are 7.0.1.0 and 7.0.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences InForm. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences InForm accessible data as well as unauthorized read access to a subset of Oracle Life Sciences InForm accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Life Sciences InForm. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2026-34324 | Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: App Server). Supported versions that are affected are 7.0.1.0 and 7.0.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences InForm. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences InForm accessible data as well as unauthorized read access to a subset of Oracle Life Sciences InForm accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Hospitality Applications
This table provides the text form of the Risk Matrix for Oracle Hospitality Applications.
| CVE ID | Description |
|---|---|
| CVE-2026-24734 | Vulnerability in the Oracle Hospitality Cruise Shipboard Property Management (SPMS) product of Oracle Hospitality Applications (component: Next-Gen SPMS (Apache Tomcat)). Supported versions that are affected are 23.1.5-23.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Cruise Shipboard Property Management (SPMS). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hospitality Cruise Shipboard Property Management (SPMS) accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] The patch for CVE-2026-24734 also addresses CVE-2025-61795. |
Text Form of Risk Matrix for Oracle Hyperion
This table provides the text form of the Risk Matrix for Oracle Hyperion.
| CVE ID | Description |
|---|---|
| CVE-2025-54571 | Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Installation and Configuration (ModSecurity)). The supported version that is affected is 11.2.24.0.000. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hyperion Infrastructure Technology. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hyperion Infrastructure Technology, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hyperion Infrastructure Technology accessible data as well as unauthorized read access to a subset of Oracle Hyperion Infrastructure Technology accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-64775 | Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Installation and Configuration (Apache Struts)). The supported version that is affected is 11.2.24.0.000. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hyperion Infrastructure Technology. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hyperion Infrastructure Technology. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-65018 | Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Installation and Configuration (libpng)). The supported version that is affected is 11.2.24.0.000. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Hyperion Infrastructure Technology executes to compromise Oracle Hyperion Infrastructure Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Infrastructure Technology accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hyperion Infrastructure Technology. CVSS 3.1 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-65018 also addresses CVE-2025-64505, CVE-2025-64506, and CVE-2025-64720. |
| CVE-2025-66566 | Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Installation and Configuration (lz4-java)). The supported version that is affected is 11.2.24.0.000. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hyperion Infrastructure Technology. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Infrastructure Technology accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-9086 | Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Installation and Configuration (curl)). The supported version that is affected is 11.2.24.0.000. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hyperion Infrastructure Technology. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hyperion Infrastructure Technology. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-9086 also addresses CVE-2025-10148. |
| CVE-2026-35244 | Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Lifecycle Management). The supported version that is affected is 11.2.24.0.000. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Infrastructure Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Infrastructure Technology accessible data as well as unauthorized read access to a subset of Oracle Hyperion Infrastructure Technology accessible data. CVSS 3.1 Base Score 5.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Java SE
This table provides the text form of the Risk Matrix for Oracle Java SE.
| CVE ID | Description |
|---|---|
| CVE-2026-20652 | Vulnerability in Oracle Java SE (component: JavaFX (WebKitGTK)). Supported versions that are affected are Oracle Java SE: 8u481-b50. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2026-20652 also addresses CVE-2025-43457, CVE-2026-20608, CVE-2026-20635, CVE-2026-20636, CVE-2026-20644, and CVE-2026-20676. |
| CVE-2026-22003 | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 6.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H). (legend) [Advisory] |
| CVE-2026-22007 | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory] |
| CVE-2026-22008 | Vulnerability in Oracle Java SE (component: Libraries). The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). (legend) [Advisory] |
| CVE-2026-22013 | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-22016 | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-22018 | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2026-22021 | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2026-22801 | Security-in-Depth issue in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT (libpng)). For supported versions that are affected see note. This vulnerability cannot be exploited in the context of this product. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. [Advisory] |
| CVE-2026-23865 | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D (FreeType)). Supported versions that are affected are Oracle Java SE: 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2026-34268 | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34282 | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle JD Edwards
This table provides the text form of the Risk Matrix for Oracle JD Edwards.
| CVE ID | Description |
|---|---|
| CVE-2023-5388 | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security (NSS)). Supported versions that are affected are 9.2.0.0-9.2.26.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L). (legend) [Advisory] |
| CVE-2025-48924 | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime Security (Apache Commons Lang)). Supported versions that are affected are 9.2.0.0-9.2.26.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-9230 | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security (OpenSSL)). Supported versions that are affected are 9.2.0.0-9.2.26.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-9230 also addresses CVE-2025-9231, and CVE-2025-9232. |
Text Form of Risk Matrix for Oracle MySQL
This table provides the text form of the Risk Matrix for Oracle MySQL.
| CVE ID | Description |
|---|---|
| CVE-2025-14017 | Vulnerability in the MySQL Enterprise Backup product of Oracle MySQL (component: Enterprise Backup (curl)). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Enterprise Backup executes to compromise MySQL Enterprise Backup. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Enterprise Backup accessible data as well as unauthorized access to critical data or complete access to all MySQL Enterprise Backup accessible data. CVSS 3.1 Base Score 6.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N). (legend) [Advisory] The patch for CVE-2025-14017 also addresses CVE-2025-13034, CVE-2025-14524, CVE-2025-14819, CVE-2025-15079, and CVE-2025-15224. |
| CVE-2025-14017 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging (curl)). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data as well as unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.1 Base Score 6.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N). (legend) [Advisory] The patch for CVE-2025-14017 also addresses CVE-2025-13034, CVE-2025-14524, CVE-2025-14819, CVE-2025-15079, and CVE-2025-15224. |
| CVE-2025-15467 | Security-in-Depth issue in the MySQL Connectors product of Oracle MySQL (component: Connector/C++ (OpenSSL)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-15467 | Security-in-Depth issue in the MySQL Connectors product of Oracle MySQL (component: Connector/ODBC (OpenSSL)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-15467 | Vulnerability in the MySQL Enterprise Backup product of Oracle MySQL (component: Enterprise Backup (OpenSSL)). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Enterprise Backup. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Backup. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-15467 also addresses CVE-2025-11187, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, and CVE-2026-22796. |
| CVE-2025-15467 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging (OpenSSL)). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-15467 also addresses CVE-2025-11187, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, and CVE-2026-22796. |
| CVE-2025-15467 | Vulnerability in the MySQL Workbench product of Oracle MySQL (component: MySQL Workbench (OpenSSL)). Supported versions that are affected are 8.0.0-8.0.46. Easily exploitable vulnerability allows unauthenticated attacker with network access via MySQL Workbench to compromise MySQL Workbench. Successful attacks of this vulnerability can result in takeover of MySQL Workbench. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-15467 also addresses CVE-2025-11187, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, and CVE-2026-22796. |
| CVE-2025-5318 | Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General (libssh)). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Cluster accessible data as well as unauthorized read access to a subset of MySQL Cluster accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] The patch for CVE-2025-5318 also addresses CVE-2025-4877, CVE-2025-4878, CVE-2025-5351, CVE-2025-5372, CVE-2025-5449, and CVE-2025-5987. |
| CVE-2026-21998 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-22001 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory] |
| CVE-2026-22002 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-22004 | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-22005 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-22009 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-22015 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory] |
| CVE-2026-22017 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-25646 | Security-in-Depth issue in the MySQL Workbench product of Oracle MySQL (component: MySQL Workbench (libpng)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2026-34267 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34270 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34271 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34272 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34276 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34278 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34293 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.0-8.0.45. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34303 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34304 | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34308 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: JSON). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34317 | Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-34318 | Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34319 | Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-35234 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Partition). Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-35235 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-35236 | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-35237 | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-35238 | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-35239 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-35240 | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle PeopleSoft
This table provides the text form of the Risk Matrix for Oracle PeopleSoft.
| CVE ID | Description |
|---|---|
| CVE-2025-14017 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: File Processing (libcurl)). Supported versions that are affected are 8.61-8.62. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where PeopleSoft Enterprise PeopleTools executes to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N). (legend) [Advisory] The patch for CVE-2025-14017 also addresses CVE-2025-13034, CVE-2025-14524, CVE-2025-14819, CVE-2025-15079, and CVE-2025-15224. |
| CVE-2025-15467 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security (OpenSSL)). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-15467 also addresses CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, and CVE-2026-22796. |
| CVE-2025-43967 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: XMLPublisher (libheif)). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-43967 also addresses CVE-2025-29482, and CVE-2025-43966. |
| CVE-2025-58754 | Vulnerability in the PeopleSoft Enterprise CC Common Application Objects product of Oracle PeopleSoft (component: Common Application Objects (Axios)). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise CC Common Application Objects. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of PeopleSoft Enterprise CC Common Application Objects. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2025-66418 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Porting (urllib3)). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-66418 also addresses CVE-2025-66471. |
| CVE-2025-68161 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: OpenSearch (Apache Log4j)). Supported versions that are affected are 8.61-8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-8194 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Porting (Python)). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-8194 also addresses CVE-2025-6069. |
| CVE-2026-22006 | Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Human Resources, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-22019 | Vulnerability in the PeopleSoft Enterprise HCM Shared Components product of Oracle PeopleSoft (component: Person Search). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Shared Components. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Shared Components, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Shared Components accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Shared Components accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-34266 | Vulnerability in the PeopleSoft Enterprise HCM Absence Management product of Oracle PeopleSoft (component: Absence Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Absence Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise HCM Absence Management accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Absence Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2026-34269 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-34277 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Fluid Core). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. While the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2026-34280 | Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Job Profile Manager). The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2026-34295 | Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34299 | Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Maintenance Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Maintenance Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34300 | Vulnerability in the PeopleSoft Enterprise FIN Contracts product of Oracle PeopleSoft (component: Contracts). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Contracts. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Contracts accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34301 | Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Maintenance Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Maintenance Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34306 | Vulnerability in the PeopleSoft Enterprise FIN Project Costing product of Oracle PeopleSoft (component: Projects). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Project Costing. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Project Costing accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-34307 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Workflow). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-34309 | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). (legend) [Advisory] |
| CVE-2026-35241 | Vulnerability in the PeopleSoft Enterprise CS Student Records product of Oracle PeopleSoft (component: Research Tracking). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Student Records. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise CS Student Records accessible data. CVSS 3.1 Base Score 5.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Retail Applications
This table provides the text form of the Risk Matrix for Oracle Retail Applications.
| CVE ID | Description |
|---|---|
| CVE-2025-48924 | Vulnerability in the Oracle Retail Assortment Planning product of Oracle Retail Applications (component: Application Core (Apache Commons Lang)). Supported versions that are affected are 15.0 and 16.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Retail Assortment Planning. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Assortment Planning. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-48924 | Vulnerability in the Oracle Retail Warehouse Management System product of Oracle Retail Applications (component: Security (Apache Commons Lang)). The supported version that is affected is 16.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Warehouse Management System. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Warehouse Management System. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Retail Assortment Planning product of Oracle Retail Applications (component: Application Core (Apache Log4j)). Supported versions that are affected are 15.0 and 16.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Retail Assortment Planning. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Assortment Planning accessible data as well as unauthorized read access to a subset of Oracle Retail Assortment Planning accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Retail Bulk Data Integration product of Oracle Retail Applications (component: BDI Job Scheduler (Apache Log4j)). Supported versions that are affected are 16.0.3 and 19.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Retail Bulk Data Integration. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Bulk Data Integration accessible data as well as unauthorized read access to a subset of Oracle Retail Bulk Data Integration accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Retail EFTLink product of Oracle Retail Applications (component: Core/Plugin (Apache Log4j)). Supported versions that are affected are 21.0.0-25.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Retail EFTLink. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail EFTLink accessible data as well as unauthorized read access to a subset of Oracle Retail EFTLink accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Retail Extract Tranform and Load product of Oracle Retail Applications (component: Mathematical Operators (Apache Log4j)). The supported version that is affected is 13.0.5. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Retail Extract Tranform and Load. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Extract Tranform and Load accessible data as well as unauthorized read access to a subset of Oracle Retail Extract Tranform and Load accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Retail Financial Integration product of Oracle Retail Applications (component: PeopleSoft Integration (Apache Log4j)). Supported versions that are affected are 16.0.3 and 19.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Retail Financial Integration. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Financial Integration accessible data as well as unauthorized read access to a subset of Oracle Retail Financial Integration accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Retail Fiscal Management product of Oracle Retail Applications (component: NF Issuing (Apache Log4j)). The supported version that is affected is 14.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Retail Fiscal Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Fiscal Management accessible data as well as unauthorized read access to a subset of Oracle Retail Fiscal Management accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Retail Integration Bus product of Oracle Retail Applications (component: RIB Kernal (Apache Log4j)). Supported versions that are affected are 16.0.3 and 19.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Retail Integration Bus. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Integration Bus accessible data as well as unauthorized read access to a subset of Oracle Retail Integration Bus accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Retail Merchandise Financial Planning product of Oracle Retail Applications (component: Application Core (Apache Log4j)). Supported versions that are affected are 15.0 and 16.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Retail Merchandise Financial Planning. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Merchandise Financial Planning accessible data as well as unauthorized read access to a subset of Oracle Retail Merchandise Financial Planning accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Retail Merchandising System product of Oracle Retail Applications (component: Security (Apache Log4j)). Supported versions that are affected are 16.0.3 and 19.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Retail Merchandising System. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Merchandising System accessible data as well as unauthorized read access to a subset of Oracle Retail Merchandising System accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Retail Predictive Application Server product of Oracle Retail Applications (component: RPAS Fusion Client (Apache Log4j)). The supported version that is affected is 16.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Retail Predictive Application Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Predictive Application Server accessible data as well as unauthorized read access to a subset of Oracle Retail Predictive Application Server accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Retail Price Management product of Oracle Retail Applications (component: Security (Apache Log4j)). The supported version that is affected is 16.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Retail Price Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Price Management accessible data as well as unauthorized read access to a subset of Oracle Retail Price Management accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Retail Service Backbone product of Oracle Retail Applications (component: RSB Installation (Apache Log4j)). Supported versions that are affected are 16.0.3 and 19.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Retail Service Backbone. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Service Backbone accessible data as well as unauthorized read access to a subset of Oracle Retail Service Backbone accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-7962 | Vulnerability in the Oracle Retail Xstore Point of Service product of Oracle Retail Applications (component: Point of Sale (Jakarta Mail)). Supported versions that are affected are 21.0.5 and 22.0.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via SMTP to compromise Oracle Retail Xstore Point of Service. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Retail Xstore Point of Service accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Siebel CRM
This table provides the text form of the Risk Matrix for Oracle Siebel CRM.
| CVE ID | Description |
|---|---|
| CVE-2022-45688 | Vulnerability in the Siebel CRM Administration product of Oracle Siebel CRM (component: Data Archival (Quartz)). Supported versions that are affected are 17.0-25.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Administration. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Administration. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2023-1436 | Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM (component: REST (Jettison)). Supported versions that are affected are 17.0-26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Integration. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Integration. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2023-1436 also addresses CVE-2022-40149, CVE-2022-40150, CVE-2022-45685, CVE-2022-45693, CVE-2026-28493, CVE-2026-28494, CVE-2026-28686, CVE-2026-28687, CVE-2026-28688, CVE-2026-28689, CVE-2026-28690, CVE-2026-28691, CVE-2026-28692, CVE-2026-28693, CVE-2026-30883, CVE-2026-30929, CVE-2026-30931, CVE-2026-30935, and CVE-2026-30936. |
| CVE-2023-26464 | Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure (Apache Log4j)). Supported versions that are affected are 17.0-25.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2023-26464 also addresses CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307. |
| CVE-2024-29371 | Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM (component: Event Publish and Subscribe (jose4j)). Supported versions that are affected are 17.0-26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Integration. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Integration. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2024-29371 also addresses CVE-2023-51775. |
| CVE-2024-36124 | Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM (component: Open Integration (Snappy)). Supported versions that are affected are 17.0-26.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Integration. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Siebel CRM Integration. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-13601 | Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager (glib)). Supported versions that are affected are 17.0-26.2. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Siebel CRM Cloud Applications executes to compromise Siebel CRM Cloud Applications. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Siebel CRM Cloud Applications accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 7.7 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). (legend) [Advisory] |
| CVE-2025-27817 | Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM (component: Event Publish and Subscribe (Apache Kafka)). Supported versions that are affected are 17.0-26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Siebel CRM Integration. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Siebel CRM Integration accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] The patch for CVE-2025-27817 also addresses CVE-2025-27818. |
| CVE-2025-48924 | Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Keyword Automation (Apache Commons Lang)). Supported versions that are affected are 17.0-26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-58057 | Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Keyword Automation (Netty)). Supported versions that are affected are 17.0-26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-58057 also addresses CVE-2025-55163, and CVE-2025-58056. |
| CVE-2025-68161 | Vulnerability in the Siebel CRM Development product of Oracle Siebel CRM (component: Siebel Approval Manager (Apache Log4j)). Supported versions that are affected are 17.0-26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Development. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Siebel CRM Development accessible data as well as unauthorized read access to a subset of Siebel CRM Development accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM (component: EAI (Apache Log4j)). Supported versions that are affected are 17.0-26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Integration. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Siebel CRM Integration accessible data as well as unauthorized read access to a subset of Siebel CRM Integration accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-69223 | Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager (AIOHTTP)). Supported versions that are affected are 17.0-26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Cloud Applications. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-69223 also addresses CVE-2025-69224, CVE-2025-69225, CVE-2025-69226, CVE-2025-69227, CVE-2025-69228, CVE-2025-69229, and CVE-2025-69230. |
| CVE-2025-7962 | Vulnerability in the Siebel CRM End User product of Oracle Siebel CRM (component: Communications Panel/Dashboard (Jakarta Mail)). Supported versions that are affected are 17.0-25.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via SMTP to compromise Siebel CRM End User. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Siebel CRM End User accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] |
| CVE-2025-8869 | Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager (pip)). Supported versions that are affected are 17.0-26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Cloud Applications. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Siebel CRM Cloud Applications accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Supply Chain
This table provides the text form of the Risk Matrix for Oracle Supply Chain.
| CVE ID | Description |
|---|---|
| CVE-2025-68161 | Vulnerability in the Oracle Product Lifecycle Analytics product of Oracle Supply Chain (component: Installation Issues (Apache Log4j)). The supported version that is affected is 3.6.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Product Lifecycle Analytics. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Product Lifecycle Analytics accessible data as well as unauthorized read access to a subset of Oracle Product Lifecycle Analytics accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-9900 | Vulnerability in the Oracle AutoVue product of Oracle Supply Chain (component: Security (LibTIFF)). The supported version that is affected is 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle AutoVue. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle AutoVue. Note: This vulnerability applies to Oracle AutoVue Office, Oracle AutoVue 2D Professional, Oracle AutoVue 3D Professional Advanced, Oracle AutoVue EDA Professional and Oracle AutoVue Electro-Mechanical Professional. Please refer to Patch Availability Document for more details. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2025-9900 also addresses CVE-2025-8176, CVE-2025-8177, and CVE-2025-8961. |
| CVE-2026-22801 | Vulnerability in the Oracle AutoVue product of Oracle Supply Chain (component: Security (libpng)). The supported version that is affected is 21.1.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle AutoVue executes to compromise Oracle AutoVue. Successful attacks of this vulnerability can result in takeover of Oracle AutoVue. Note: This vulnerability applies to Oracle AutoVue Office, Oracle AutoVue 2D Professional, Oracle AutoVue 3D Professional Advanced, Oracle AutoVue EDA Professional and Oracle AutoVue Electro-Mechanical Professional. Please refer to Patch Availability Document for more details. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (legend) [Advisory] The patch for CVE-2026-22801 also addresses CVE-2026-22695. |
| CVE-2026-34296 | Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Agile Product Lifecycle Management for Process accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). (legend) [Advisory] The patch for CVE-2026-34296 also addresses CVE-2026-21969. |
Text Form of Risk Matrix for Oracle Systems
This table provides the text form of the Risk Matrix for Oracle Systems.
| CVE ID | Description |
|---|---|
| CVE-2024-6387 | Vulnerability in the Sun ZFS Storage Appliance Kit product of Oracle Systems (component: Firmware subsystem (OpenSSH)). The supported version that is affected is 8.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Sun ZFS Storage Appliance Kit. While the vulnerability is in Sun ZFS Storage Appliance Kit, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Sun ZFS Storage Appliance Kit. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-34281 | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11.4. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). (legend) [Advisory] |
Text Form of Risk Matrix for Oracle Utilities Applications
This table provides the text form of the Risk Matrix for Oracle Utilities Applications.
| CVE ID | Description |
|---|---|
| CVE-2020-17521 | Vulnerability in the Oracle Utilities Application Framework product of Oracle Utilities Applications (component: Security (Apache Groovy)). Supported versions that are affected are 4.3.0.5.0-4.3.0.6.0 and 4.4.0.0.0-4.4.0.3.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Utilities Application Framework executes to compromise Oracle Utilities Application Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Utilities Application Framework accessible data. CVSS 3.1 Base Score 5.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2025-48924 | Security-in-Depth issue in the Oracle Utilities Network Management System product of Oracle Utilities Applications (component: SW- System Wide (Apache Commons Lang)). This vulnerability cannot be exploited in the context of this product. [Advisory] |
| CVE-2025-48924 | Vulnerability in the Oracle Utilities Testing Accelerator product of Oracle Utilities Applications (component: Tools (Apache Commons Lang)). Supported versions that are affected are 7.0.0.0.7, 7.0.0.1.5 and 25.4.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Utilities Testing Accelerator. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Utilities Testing Accelerator. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2025-53643 | Vulnerability in the Oracle Utilities Live Energy Connect product of Oracle Utilities Applications (component: Python Scripting (AIOHTTP)). Supported versions that are affected are 7.1.0.0.45 and 25.12.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Utilities Live Energy Connect. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Utilities Live Energy Connect accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] |
| CVE-2025-66418 | Vulnerability in the Oracle Utilities Network Management System product of Oracle Utilities Applications (component: System Wide (urllib3)). Supported versions that are affected are 2.5.0.1.16, 2.5.0.2.10, 2.6.0.1.10 and 2.6.0.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Utilities Network Management System. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Utilities Network Management System. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] The patch for CVE-2025-66418 also addresses CVE-2025-66471. |
| CVE-2025-68161 | Vulnerability in the Oracle Utilities Application Framework product of Oracle Utilities Applications (component: Security (Apache Log4j)). Supported versions that are affected are 4.3.0.5.0-4.3.0.6.0, 4.4.0.0.0-4.4.0.4.0, 4.5.0.0.0-4.5.0.2.0, 25.4, 25.10 and 26.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Utilities Application Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Utilities Application Framework accessible data as well as unauthorized read access to a subset of Oracle Utilities Application Framework accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2025-68161 | Vulnerability in the Oracle Utilities Testing Accelerator product of Oracle Utilities Applications (component: Tools (Apache Log4j)). Supported versions that are affected are 7.0.0.0.7, 7.0.0.1.5 and 25.4.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Utilities Testing Accelerator. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Utilities Testing Accelerator accessible data as well as unauthorized read access to a subset of Oracle Utilities Testing Accelerator accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). (legend) [Advisory] |
| CVE-2026-24734 | Vulnerability in the Oracle Utilities Testing Accelerator product of Oracle Utilities Applications (component: Tools (Apache Tomcat)). Supported versions that are affected are 7.0.0.0.7, 7.0.0.1.5 and 25.4.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Utilities Testing Accelerator. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Utilities Testing Accelerator accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). (legend) [Advisory] The patch for CVE-2026-24734 also addresses CVE-2025-61795. |
Text Form of Risk Matrix for Oracle Virtualization
This table provides the text form of the Risk Matrix for Oracle Virtualization.
| CVE ID | Description |
|---|---|
| CVE-2026-35230 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-35242 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-35245 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). (legend) [Advisory] |
| CVE-2026-35246 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). (legend) [Advisory] |
| CVE-2026-35247 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). (legend) [Advisory] |
| CVE-2026-35248 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data as well as unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L). (legend) [Advisory] |
| CVE-2026-35249 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N). (legend) [Advisory] |
| CVE-2026-35250 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 2.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). (legend) [Advisory] |
| CVE-2026-35251 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). (legend) [Advisory] |