Oracle Software Giant

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Oracle product.

RSS Feeds for Oracle security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Oracle products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Oracle Sorted by Most Security Vulnerabilities since 2018

Oracle1992 vulnerabilities

Oracle MySQL1289 vulnerabilities
Open Source Database Engine

Oracle Java739 vulnerabilities

Oracle Jdk727 vulnerabilities

Oracle VM VirtualBox336 vulnerabilities

Oracle Solaris326 vulnerabilities

Oracle Weblogic Server274 vulnerabilities
Java EE server

Oracle Peoplesoft Enterprise Peopletools261 vulnerabilities

Oracle GraalVM195 vulnerabilities

Oracle Linux160 vulnerabilities

Oracle Outside In Technology155 vulnerabilities

Oracle Database Server153 vulnerabilities
Oracle Database Server

Oracle Jd Edwards Enterpriseone Tools135 vulnerabilities

Oracle Communications Cloud Native Core Policy125 vulnerabilities

Oracle Retail Xstore Point Of Service118 vulnerabilities

Oracle Zfs Storage Appliance Kit117 vulnerabilities

Oracle Enterprise Manager Base Platform116 vulnerabilities

Oracle Enterprise Manager Ops Center101 vulnerabilities

Oracle E Business Suite95 vulnerabilities

Oracle Financial Services Analytical Applications Infrastructure91 vulnerabilities

Oracle Webcenter Portal89 vulnerabilities

Oracle Http Server84 vulnerabilities

Oracle Business Intelligence76 vulnerabilities

Oracle Communications Cloud Native Core Binding Support Function75 vulnerabilities

Oracle Communications Session Route Manager74 vulnerabilities

Oracle Agile Plm73 vulnerabilities

Oracle Communications Session Report Manager69 vulnerabilities

Oracle Instantis Enterprisetrack57 vulnerabilities

Oracle Flexcube Universal Banking57 vulnerabilities

Oracle Application Testing Suite56 vulnerabilities

Oracle Communications Instant Messaging Server55 vulnerabilities

Oracle Mysql Enterprise Monitor51 vulnerabilities

Oracle Mysql Cluster47 vulnerabilities

Oracle Communications Policy Management47 vulnerabilities

Oracle Retail Service Backbone44 vulnerabilities

Oracle Application Express44 vulnerabilities

Oracle Javafx44 vulnerabilities

Oracle Primavera P6 Enterprise Project Portfolio Management43 vulnerabilities

Oracle Marketing42 vulnerabilities

Oracle Jd Edwards Enterpriseone Orchestrator42 vulnerabilities

Oracle Blockchain Platform40 vulnerabilities

Oracle Retail Order Broker38 vulnerabilities

Oracle Bi Publisher37 vulnerabilities

Oracle Complex Maintenance Repair Overhaul35 vulnerabilities

Oracle Hyperion Infrastructure Technology35 vulnerabilities

Oracle Flexcube Investor Servicing34 vulnerabilities

Oracle Rest Data Services34 vulnerabilities

Oracle Goldengate Application Adapters34 vulnerabilities

Oracle Istore34 vulnerabilities

Oracle Retail Predictive Application Server33 vulnerabilities

Oracle Webcenter Sites33 vulnerabilities

Oracle Business Process Management Suite32 vulnerabilities

Oracle Communications Cloud Native Core Network Exposure Function31 vulnerabilities

Oracle Crm Technical Foundation29 vulnerabilities

Oracle Trade Management28 vulnerabilities

Oracle Hospitality Guest Access27 vulnerabilities

Oracle Hospitality Simphony27 vulnerabilities

Oracle Peoplesoft Enterprise Pt Peopletools27 vulnerabilities

Recent Oracle Security Advisories

Advisory	Title	Published
CSPUMay2026	Critical Security Patch Update Advisory - May 2026	May 28, 2026
CPUApr2026	Oracle Critical Patch Update Advisory - April 2026	April 21, 2026
alertcve202621992	Oracle Security Alert for CVE-2026-21992 - 19 March 2026	March 20, 2026
CPUJan2026	Oracle Critical Patch Update Advisory - January 2026	January 20, 2026
CPUOct2025	Oracle Critical Patch Update Advisory - October 2025	October 21, 2025
alertcve202561884	Oracle Security Alert for CVE-2025-61884 - 10 October 2025	October 12, 2025
alertcve202561882	Oracle Security Alert for CVE-2025-61882 - 4 October 2025	October 4, 2025
CPUJul2025	Oracle Critical Patch Update Advisory - July 2025	July 15, 2025
CPUApr2025	Oracle Critical Patch Update Advisory - April 2025	April 15, 2025
CPUJan2025	Oracle Critical Patch Update Advisory - January 2025	January 21, 2025

Known Exploited Oracle Vulnerabilities

The following Oracle vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
Oracle WebLogic Server Unspecified Vulnerability	Oracle WebLogic contains an unspecified vulnerability that could allow an unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVE-2024-21182 Exploit Probability: 89.6%	June 1, 2026
Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability	Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager. CVE-2025-61757 Exploit Probability: 87.8%	November 21, 2025
Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability	Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication. CVE-2025-61884 Exploit Probability: 48.3%	October 20, 2025
Oracle E-Business Suite Unspecified Vulnerability	Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks can result in takeover of Oracle Concurrent Processing. CVE-2025-61882 Exploit Probability: 87.5%	October 6, 2025
Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability	Oracle Agile Product Lifecycle Management (PLM) contains a deserialization vulnerability that allows a low-privileged attacker with network access via HTTP to compromise the system. CVE-2024-20953 Exploit Probability: 67.9%	February 24, 2025
Oracle WebLogic Server Unspecified Vulnerability	Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an unspecified vulnerability exploitable by an unauthenticated attacker with network access via IIOP or T3. CVE-2020-2883 Exploit Probability: 94.4%	January 7, 2025
Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability	Oracle Agile Product Lifecycle Management (PLM) contains an incorrect authorization vulnerability in the Process Extension component of the Software Development Kit. Successful exploitation of this vulnerability may result in unauthenticated file disclosure. CVE-2024-21287 Exploit Probability: 69.8%	November 21, 2024
Oracle JDeveloper Remote Code Execution Vulnerability	Oracle JDeveloper, a product within the Fusion Middleware suite, contains an deserialization vulnerability the ADF Faces component, leading to unauthenticated remote code execution. CVE-2022-21445 Exploit Probability: 92.0%	September 18, 2024
Oracle WebLogic Server Remote Code Execution Vulnerability	Oracle WebLogic Server, a product within the Fusion Middleware suite, contains a deserialization vulnerability. Unauthenticated attackers with network access via T3 or IIOP can exploit this vulnerability to achieve remote code execution. CVE-2020-14644 Exploit Probability: 93.6%	September 18, 2024
Oracle WebLogic Server OS Command Injection Vulnerability	Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document. CVE-2017-3506 Exploit Probability: 94.4%	June 3, 2024
Oracle Fusion Middleware Unspecified Vulnerability	Oracle Fusion Middleware contains an unspecified vulnerability in the WLS Core Components that allows an unauthenticated attacker with network access via IIOP to compromise the WebLogic Server. CVE-2020-2551 Exploit Probability: 94.4%	November 16, 2023
Oracle Java SE and JRockit Unspecified Vulnerability	Oracle Java SE and JRockit contains an unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Management Extensions (JMX). This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web servi CVE-2016-3427 Exploit Probability: 93.3%	May 12, 2023
Oracle WebLogic Server Unspecified Vulnerability	Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server. CVE-2023-21839 Exploit Probability: 94.2%	May 1, 2023
Oracle E-Business Suite Unspecified Vulnerability	Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. CVE-2022-21587 Exploit Probability: 94.4%	February 2, 2023
Oracle Fusion Middleware Unspecified Vulnerability	Oracle Fusion Middleware Access Manager allows an unauthenticated attacker with network access via HTTP to takeover the Access Manager product. CVE-2021-35587 Exploit Probability: 94.3%	November 28, 2022
Oracle WebLogic Server Unspecified Vulnerability	Oracle WebLogic Server contains an unspecified vulnerability which can allow an unauthenticated attacker with T3 network access to compromise the server. CVE-2018-2628 Exploit Probability: 94.4%	September 8, 2022
Oracle JRE Remote Code Execution Vulnerability	A vulnerability in the way Java restricts the permissions of Java applets could allow an attacker to execute commands on a vulnerable system. CVE-2013-0422 Exploit Probability: 93.6%	May 25, 2022
Oracle JRE Unspecified Vulnerability	Unspecified vulnerability in hotspot for Java Runtime Environment (JRE) allows remote attackers to affect integrity. CVE-2013-2423 Exploit Probability: 93.4%	May 25, 2022
Oracle JRE Sandbox Bypass Vulnerability	Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle allows remote attackers to bypass the Java security sandbox. CVE-2013-0431 Exploit Probability: 91.5%	May 25, 2022
Oracle Solaris Privilege Escalation Vulnerability	Oracle Solaris component: XScreenSaver contains an unspecified vulnerability which allows for privilege escalation. CVE-2019-3010 Exploit Probability: 53.5%	May 25, 2022

Of the known exploited vulnerabilities above, 16 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 4 known exploited Oracle vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

Top 10 Riskiest Oracle Vulnerabilities

Based on the current exploit probability, these Oracle vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.

Rank	CVE	EPSS	Vulnerability
1	CVE-2019-2725	94.5%	Oracle WebLogic Server, Injection
2	CVE-2020-14882	94.5%	Oracle WebLogic Server Remote Code Execution Vulnerability
3	CVE-2020-14883	94.4%	Oracle WebLogic Server Remote Code Execution Vulnerability
4	CVE-2017-10271	94.4%	Oracle Corporation WebLogic Server Remote Code Execution Vulnerability
5	CVE-2020-14750	94.4%	Oracle WebLogic Server Remote Code Execution Vulnerability
6	CVE-2018-2628	94.4%	Oracle WebLogic Server Unspecified Vulnerability
7	CVE-2020-2551	94.4%	Oracle Fusion Middleware Unspecified Vulnerability
8	CVE-2017-3506	94.4%	Oracle WebLogic Server OS Command Injection Vulnerability
9	CVE-2022-21587	94.4%	Oracle E-Business Suite Unspecified Vulnerability
10	CVE-2020-2883	94.4%	Oracle WebLogic Server Unspecified Vulnerability

By the Year

In 2026 there have been 363 vulnerabilities in Oracle with an average score of 6.4 out of ten. Last year, in 2025 Oracle had 634 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Oracle in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.24.

Year	Vulnerabilities	Average Score
2026	363	6.45
2025	634	6.21
2024	648	6.14
2023	426	5.97
2022	555	6.26
2021	880	6.59
2020	976	6.33
2019	772	6.27
2018	808	6.51

It may take a day or so for new Oracle vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Oracle Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-46842	May 28, 2026	ORA-RESTDS Core Unauth RCE 24.2.0-26.1.0 (CVSS5.3) Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).	Rest Data Services
CVE-2026-46843	May 28, 2026	Oracle REST Data Services Core 24.2.0-26.1.0: Unauth HTTPS DOS Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).	Rest Data Services
CVE-2026-46840	May 28, 2026	Unauthenticated Exploit in Oracle ORDS 24.2.0-26.1 BaaS Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).	Rest Data Services
CVE-2026-46841	May 28, 2026	ORACLE ORD REST Data Servs 24.2.0 26.1.0 HTTPS Unauth Read Violation Vulnerability in Oracle REST Data Services (component: General). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).	Rest Data Services
CVE-2026-46839	May 28, 2026	Oracle RDS Core CVE-2026-46839: Remote Code Exec (24.2.0-26.1.0) Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).	Rest Data Services
CVE-2026-46834	May 28, 2026	Oracle DB Net Service Vulnerability (23.423.26.2) Unauth TLS Crash Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).	Database Net Service
CVE-2026-46837	May 28, 2026	Oracle Flow Manufacturing Sec DBiI (12.2.915) 8.8 Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suite (component: Security). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via SQL to compromise Oracle Flow Manufacturing. Successful attacks of this vulnerability can result in takeover of Oracle Flow Manufacturing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).	Flow Manufacturing
CVE-2026-46835	May 28, 2026	Oracle Net Service DoS via TLS in 23.4.0-23.26.2 Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).	Database Net Service
CVE-2026-46833	May 28, 2026	Oracle Database Net Service Unauth TLS Exploit CVE-2026-46833 (23.4.023.26.2) Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. While the vulnerability is in Net Service, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Net Service. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).	Database Net Service
CVE-2026-46830	May 28, 2026	Oracle REST Data Services Mongoapi Unauth Read CVE-2026-46830 (24.2.026.1.0) Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).	Rest Data Services
CVE-2026-46829	May 28, 2026	Unauth RCE in ORDS Mongoapi 24.2.026.1.0 (Denial of Service) Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).	Rest Data Services
CVE-2026-46828	May 28, 2026	Oracle Payroll 12.2.3-12.2.15 Internal Ops HTTP Low-Priv Escalation Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payroll. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payroll accessible data as well as unauthorized access to critical data or complete access to all Oracle Payroll accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).	Payroll
CVE-2026-46826	May 28, 2026	Oracle Payroll Internal Ops Exploitable: CVE-2026-46826 12.2.3-12.2.15 Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).	Payroll
CVE-2026-46827	May 28, 2026	Oracle Payroll Self Service Manager 12.2.3-12.2.15 HTTP Low-Priv CVE-2026-46827 Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Self Service Manager). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).	Payroll
CVE-2026-46824	May 28, 2026	Oracle UQ 12.2.3-12.2.15 Remote RCE via HTTP (Work Provider Admin) Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).	Universal Work Queue
CVE-2026-46823	May 28, 2026	Oracle EBS Public Sector Financials 12.2.6-12.2.15 Auth Bypass via HTTPS Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Public Sector Financials (International). While the vulnerability is in Oracle Public Sector Financials (International), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Public Sector Financials (International) accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).	Public Sector Financials
CVE-2026-46822	May 28, 2026	Oracle iAssets CVE-2026-46822: HTTP takeover (12.2.3-12.2.15) Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iAssets. While the vulnerability is in Oracle iAssets, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iAssets. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).	Iassets
CVE-2026-46821	May 28, 2026	Oracle Financials Common Modules 12.2.312.2.15 Common Components CVE-2026-46821 Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).	Financials Common Modules
CVE-2026-46820	May 28, 2026	Oracle Financials Common Modules 12.2.3-12.2.15 HTTP Low-Priv Exploit Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data as well as unauthorized update, insert or delete access to some of Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N).	Financials Common Modules
CVE-2026-46775	May 28, 2026	Oracle REST Data Services Core 24.2-26.1 RCE CVE-2026-46775 Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).	Rest Data Services
CVE-2026-46819	May 28, 2026	Oracle Internet Procurement Connector 12.2.3-12.2.15 HTTP Unauth Compromise Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Internet Procurement Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Internet Procurement Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Internet Procurement Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).	Internet Procurement Connector
CVE-2026-46817	May 28, 2026	Oracle Payments 12.2.x File Transm Unauth Expos Compromise Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).	Payments
CVE-2026-46818	May 28, 2026	Oracle Payments EBS FT 12.2.3-12.2.15 Remote Authz Escalation Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Payments. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payments accessible data as well as unauthorized access to critical data or complete access to all Oracle Payments accessible data. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).	Payments
CVE-2026-35277	May 28, 2026	Oracle REST Data Services Core CVE-2026-35277 [24.2.0-26.1.0] Data Breach Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).	Rest Data Services
CVE-2026-35266	May 28, 2026	Oracle RDS 24.2.026.1.0 Core CVE-2026-35266: Partial DoS & Data Compromise Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L).	Rest Data Services
CVE-2026-34311	May 28, 2026	Oracle OPERA 5 UnAuth HTTP Takeover v5.6.19.24-5.6.28 CVE-2026-34311 Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6 and 5.6.28. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).	Hospitality Opera 5 Property Services
CVE-2026-35255	May 06, 2026	CVE-2026-35255: OCE CLI 2.3.2 RCE via Malicious Env Var Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line Interface product via a malicious environment variable. Successful attacks of this vulnerability can result in Oracle Cloud Native Environment Command Line Interface allowing users to execute arbitrary code.
CVE-2026-35254	May 06, 2026	OCI CLI 3.77 Unauth Network Access Allows Files Outside Intended Dir Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated attacker with network access to compromise Oracle OCI CLI. Successful attacks of this vulnerability can result in Oracle OCI CLI allowing users to place imported files outside the intended directory.
CVE-2026-35253	May 06, 2026	Oracle Macaron Tool v0.22.0 Unauth HTTP Host Validation Bypass Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this vulnerability can result in Oracle Macaron Tool failing host address validation.
CVE-2026-28780	May 05, 2026	Apache HTTP Server 2.4.66 mod_proxy_ajp Heap Buffer Overflow (CVE-2026-28780) Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-29168	May 05, 2026	Apache HTTP Server 2.4.30-2.4.66 mod_md OCSP Resource Exhaustion Vulnerability Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-35228	May 05, 2026	Oracle MCP Server Helper Tool 1.0.0-1.0.156 Remote SQL Injection via HTTP Vulnerability in the Oracle MCP Server Helper Tool product of Oracle Open Source Projects (component: helper tool). The supported versions that is affected is 1.0.1-1.0.156. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle MCP Server Helper Tool. Successful attacks of this vulnerability can result in Oracle MCP Server Helper Tool executing malicious SQL.
CVE-2026-29169	May 04, 2026	Apache HTTP Server 2.4.66 mod_dav_lock Null PTR Crash A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.
CVE-2026-23918	May 04, 2026	Apache HTTP Server 2.4.66 Double Free via HTTP/2 (possible RCE) Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-33006	May 04, 2026	Timing Att. Mod Auth Digest Bypass in Apache HTTP Server 2.4.66 A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
CVE-2026-33007	May 04, 2026	Apache HTTP Server 2.4.66: mod_authn_socache NULL deref crash (before 2.4.67) A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
CVE-2026-33523	May 04, 2026	Apache HTTP Server 2.4.66 Response Splitting via Modules HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-33857	May 04, 2026	Apache HTTP Server 2.4.66: OOB Read in mod_proxy_ajp (fixed 2.4.67) Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-34032	May 04, 2026	Apache HTTP Server <=2.4.66 Null-Termination OOB Read Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-34059	May 04, 2026	Apache HTTP Server 2.4.66 Buffer Over-Read Vulnerability Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-24072	May 04, 2026	CVE-2026-24072: Apache HTTPD 2.4.66-2.4.67 Priv Escalation via .htaccess An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
CVE-2026-35233	May 01, 2026	Oracle Solaris dtrace Out-of-Range sh_link ELF Exploit (DoS/Privilege Esc.) An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context.	Linux
CVE-2026-21996	May 01, 2026	Oracle DTrace Integer Divide-by-Zero Crash via Malicious ELF An unprivileged attacker can reliably trigger a crash of the dtrace process with a malicious ELF binary due to an integer Divide-by-Zero in Pbuild_file_symtab()	Linux
CVE-2026-41044	Apr 24, 2026	Apache ActiveMQ code injection via admin console broker name pre 5.19.6/6.2.5 Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.
CVE-2026-41043	Apr 24, 2026	Apache ActiveMQ Web Basic XSS Fixed in 5.19.6/6.2.5 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field. This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.
CVE-2026-40466	Apr 24, 2026	Apache ActiveMQ Broker <5.19.6/6.2.5: Code Injection via HTTP Disc Connector Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.
CVE-2026-35252	Apr 21, 2026	Oracle SecSvc 12.2.1.4.0/12.1.3.0.0 Unauthorized Access via HTTPS (UIR) Vulnerability in the Oracle Security Service product of Oracle Fusion Middleware (component: C Oracle SSL API). Supported versions that are affected are 12.2.1.4.0 and 12.1.3.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Security Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Security Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Security Service accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).	Security Service
CVE-2026-35250	Apr 21, 2026	Oracle VirtualBox 7.2.6 Core Partial DOS Vulnerability Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 2.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).	VM VirtualBox
CVE-2026-35251	Apr 21, 2026	Oracle VM VirtualBox 7.2.6 (CVE-2026-35251) Core Local Privilege Escalation Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).	VM VirtualBox
CVE-2026-35249	Apr 21, 2026	Oracle VM VirtualBox 7.2.6 Core Privileged Mod Vulnerability (CVE-2026-35249) Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 3.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).	VM VirtualBox