Oracle Software Giant

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Oracle product.

RSS Feeds for Oracle security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Oracle products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Oracle Sorted by Most Security Vulnerabilities since 2018

Oracle MySQL1213 vulnerabilities
Open Source Database Engine

Oracle1133 vulnerabilities

Oracle Java Development Kit (JDK)718 vulnerabilities
Compilers, tool and runtime for java

Oracle Java Runtime Environment (JRE)706 vulnerabilities
The runtime that executes java bytecode

Oracle Solaris317 vulnerabilities

Oracle VM VirtualBox297 vulnerabilities

Oracle Weblogic Server263 vulnerabilities
Java EE server

Oracle Peoplesoft Enterprise Peopletools243 vulnerabilities

Oracle Graalvm168 vulnerabilities

Oracle Linux157 vulnerabilities

Oracle Outside In Technology155 vulnerabilities

Oracle Database Server144 vulnerabilities
Oracle Database Server

Oracle Jd Edwards Enterpriseone Tools131 vulnerabilities

Oracle Communications Cloud Native Core Policy125 vulnerabilities

Oracle Retail Xstore Point Of Service118 vulnerabilities

Oracle Enterprise Manager Base Platform115 vulnerabilities

Oracle Zfs Storage Appliance Kit107 vulnerabilities

Oracle Enterprise Manager Ops Center101 vulnerabilities

Oracle Webcenter Portal89 vulnerabilities

Oracle Http Server82 vulnerabilities

Oracle Communications Diameter Signaling Router80 vulnerabilities

Oracle Financial Services Analytical Applications Infrastructure77 vulnerabilities

Oracle Communications Cloud Native Core Binding Support Function75 vulnerabilities

Oracle Communications Session Route Manager74 vulnerabilities

Oracle Business Intelligence73 vulnerabilities

Oracle Communications Unified Inventory Management72 vulnerabilities

Oracle Agile Plm71 vulnerabilities

Oracle Banking Platform71 vulnerabilities

Oracle Communications Session Report Manager69 vulnerabilities

Oracle Retail Customer Management Segmentation Foundation58 vulnerabilities

Oracle E Business Suite58 vulnerabilities

Oracle Primavera Gateway58 vulnerabilities

Oracle Instantis Enterprisetrack57 vulnerabilities

Oracle Application Testing Suite56 vulnerabilities

Oracle Retail Merchandising System56 vulnerabilities

Oracle Flexcube Universal Banking56 vulnerabilities

Oracle Communications Instant Messaging Server55 vulnerabilities

Oracle Mysql Enterprise Monitor51 vulnerabilities

Oracle Commerce Guided Search50 vulnerabilities

Oracle Communications Policy Management47 vulnerabilities

Oracle Communications Cloud Native Core Network Function Cloud Native Environment46 vulnerabilities

Oracle Flexcube Private Banking44 vulnerabilities

Oracle Communications Operations Monitor43 vulnerabilities

Oracle Application Express42 vulnerabilities

Oracle Communications Cloud Native Core Unified Data Repository42 vulnerabilities

Oracle Jd Edwards Enterpriseone Orchestrator42 vulnerabilities

Oracle Primavera P6 Enterprise Project Portfolio Management42 vulnerabilities

Oracle Mysql Workbench41 vulnerabilities

Oracle Mysql Cluster40 vulnerabilities

Oracle Banking Virtual Account Management40 vulnerabilities

Oracle Blockchain Platform40 vulnerabilities

Oracle Marketing39 vulnerabilities

Oracle Siebel Ui Framework39 vulnerabilities

Oracle Retail Order Broker38 vulnerabilities

Oracle Communications Offline Mediation Controller37 vulnerabilities

Oracle Graalvm For Jdk37 vulnerabilities

Oracle Retail Integration Bus36 vulnerabilities

Oracle Banking Payments35 vulnerabilities

Oracle Complex Maintenance Repair Overhaul35 vulnerabilities

Oracle Goldengate Application Adapters34 vulnerabilities

Oracle Bi Publisher34 vulnerabilities

Oracle Retail Predictive Application Server33 vulnerabilities

Oracle Webcenter Sites33 vulnerabilities

Oracle Istore31 vulnerabilities

Oracle Communications Cloud Native Core Network Exposure Function31 vulnerabilities

Oracle Communications Billing Revenue Management Elastic Charging Engine30 vulnerabilities

Oracle Business Activity Monitoring29 vulnerabilities

Oracle Trade Management28 vulnerabilities

Oracle Hospitality Guest Access27 vulnerabilities

Oracle Hospitality Simphony27 vulnerabilities

Oracle Communications Cloud Native Core Security Edge Protection Proxy26 vulnerabilities

Recent Oracle Security Advisories

Advisory	Title	Published
CPUApr2025	Oracle Critical Patch Update Advisory - April 2025	April 15, 2025
CPUJan2025	Oracle Critical Patch Update Advisory - January 2025	January 21, 2025
alertcve202421287	Oracle Security Alert for CVE-2024-21287 - 18 November 2024	November 18, 2024
CPUJul2024	Oracle Critical Patch Update Advisory - July 2024	July 16, 2024
CPUApr2024	Oracle Critical Patch Update Advisory - April 2024	April 16, 2024
CPUJan2024	Oracle Critical Patch Update Advisory - January 2024	January 16, 2024
CPUOct2023	Oracle Critical Patch Update Advisory - October 2023	October 17, 2023
CPUOct2024	Oracle Critical Patch Update Advisory - October 2024	October 15, 2023
CPUJul2023	Oracle Critical Patch Update Advisory - July 2023	July 18, 2023
CPUApr2023	Oracle Critical Patch Update Advisory - April 2023	April 18, 2023

Known Exploited Oracle Vulnerabilities

The following Oracle vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability	Oracle Agile Product Lifecycle Management (PLM) contains a deserialization vulnerability that allows a low-privileged attacker with network access via HTTP to compromise the system. CVE-2024-20953 Exploit Probability: 76.5%	February 24, 2025
Oracle WebLogic Server Unspecified Vulnerability	Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an unspecified vulnerability exploitable by an unauthenticated attacker with network access via IIOP or T3. CVE-2020-2883 Exploit Probability: 93.7%	January 7, 2025
Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability	Oracle Agile Product Lifecycle Management (PLM) contains an incorrect authorization vulnerability in the Process Extension component of the Software Development Kit. Successful exploitation of this vulnerability may result in unauthenticated file disclosure. CVE-2024-21287 Exploit Probability: 74.0%	November 21, 2024
Oracle JDeveloper Remote Code Execution Vulnerability	Oracle JDeveloper, a product within the Fusion Middleware suite, contains an deserialization vulnerability the ADF Faces component, leading to unauthenticated remote code execution. CVE-2022-21445 Exploit Probability: 91.5%	September 18, 2024
Oracle WebLogic Server Remote Code Execution Vulnerability	Oracle WebLogic Server, a product within the Fusion Middleware suite, contains a deserialization vulnerability. Unauthenticated attackers with network access via T3 or IIOP can exploit this vulnerability to achieve remote code execution. CVE-2020-14644 Exploit Probability: 90.4%	September 18, 2024
Oracle WebLogic Server OS Command Injection Vulnerability	Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document. CVE-2017-3506 Exploit Probability: 94.4%	June 3, 2024
Oracle Fusion Middleware Unspecified Vulnerability	Oracle Fusion Middleware contains an unspecified vulnerability in the WLS Core Components that allows an unauthenticated attacker with network access via IIOP to compromise the WebLogic Server. CVE-2020-2551 Exploit Probability: 94.4%	November 16, 2023
Oracle Java SE and JRockit Unspecified Vulnerability	Oracle Java SE and JRockit contains an unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Management Extensions (JMX). This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web servi CVE-2016-3427 Exploit Probability: 93.6%	May 12, 2023
Oracle WebLogic Server Unspecified Vulnerability	Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server. CVE-2023-21839 Exploit Probability: 93.3%	May 1, 2023
Oracle E-Business Suite Unspecified Vulnerability	Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. CVE-2022-21587 Exploit Probability: 94.4%	February 2, 2023
Oracle Fusion Middleware Unspecified Vulnerability	Oracle Fusion Middleware Access Manager allows an unauthenticated attacker with network access via HTTP to takeover the Access Manager product. CVE-2021-35587 Exploit Probability: 94.2%	November 28, 2022
Oracle WebLogic Server Unspecified Vulnerability	Oracle WebLogic Server contains an unspecified vulnerability which can allow an unauthenticated attacker with T3 network access to compromise the server. CVE-2018-2628 Exploit Probability: 94.4%	September 8, 2022
Oracle JRE Unspecified Vulnerability	Unspecified vulnerability in the Java Runtime Environment (JRE) in Java SE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0840 Exploit Probability: 92.6%	May 25, 2022
Oracle Fusion Middleware Unspecified Vulnerability	Unspecified vulnerability in the Oracle WebCenter Forms Recognition component in Oracle Fusion Middleware allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Designer. CVE-2012-1710 Exploit Probability: 74.6%	May 25, 2022
Oracle JRE Remote Code Execution Vulnerability	A vulnerability in the way Java restricts the permissions of Java applets could allow an attacker to execute commands on a vulnerable system. CVE-2013-0422 Exploit Probability: 93.7%	May 25, 2022
Oracle JRE Sandbox Bypass Vulnerability	Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle allows remote attackers to bypass the Java security sandbox. CVE-2013-0431 Exploit Probability: 91.6%	May 25, 2022
Oracle JRE Unspecified Vulnerability	Unspecified vulnerability in hotspot for Java Runtime Environment (JRE) allows remote attackers to affect integrity. CVE-2013-2423 Exploit Probability: 93.5%	May 25, 2022
Oracle Solaris Privilege Escalation Vulnerability	Oracle Solaris component: XScreenSaver contains an unspecified vulnerability which allows for privilege escalation. CVE-2019-3010 Exploit Probability: 35.9%	May 25, 2022
Oracle Java SE Sandbox Bypass Vulnerability	The default Java security properties configuration did not restrict access to the com.sun.org.glassfish.external and com.sun.org.glassfish.gmbal packages. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. CVE-2012-5076 Exploit Probability: 92.5%	March 28, 2022
Oracle Fusion Middleware Unspecified Vulnerability	Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware allows remote attackers to affect integrity via unknown vectors CVE-2012-0518 Exploit Probability: 24.1%	March 28, 2022

Of the known exploited vulnerabilities above, 15 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 5 known exploited Oracle vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

Top 10 Riskiest Oracle Vulnerabilities

Based on the current exploit probability, these Oracle vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.

Rank	CVE	EPSS	Vulnerability
1	CVE-2020-14882	94.5%	Oracle WebLogic Server Remote Code Execution Vulnerability
2	CVE-2019-2725	94.4%	Oracle WebLogic Server, Injection
3	CVE-2017-10271	94.4%	Oracle Corporation WebLogic Server Remote Code Execution Vulnerability
4	CVE-2020-14883	94.4%	Oracle WebLogic Server Remote Code Execution Vulnerability
5	CVE-2020-14750	94.4%	Oracle WebLogic Server Remote Code Execution Vulnerability
6	CVE-2018-2628	94.4%	Oracle WebLogic Server Unspecified Vulnerability
7	CVE-2017-3506	94.4%	Oracle WebLogic Server OS Command Injection Vulnerability
8	CVE-2020-2551	94.4%	Oracle Fusion Middleware Unspecified Vulnerability
9	CVE-2022-21587	94.4%	Oracle E-Business Suite Unspecified Vulnerability
10	CVE-2019-2616	94.3%	Oracle BI Publisher Unauthorized Access Vulnerability

By the Year

In 2025 there have been 206 vulnerabilities in Oracle with an average score of 6.0 out of ten. Last year, in 2024 Oracle had 628 security vulnerabilities published. Right now, Oracle is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.08

Year	Vulnerabilities	Average Score
2025	206	6.02
2024	628	6.10
2023	414	5.97
2022	549	6.25
2021	876	6.60
2020	976	6.43
2019	772	6.42
2018	808	6.57

It may take a day or so for new Oracle vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Oracle Security Vulnerabilities

A padding oracle vulnerability exists in Google Chromes AppBound cookie encryption mechanism due to observable decryption failure behavior in Windows Event Logs when handling malformed ciphertext in SYSTEM-DPAPI-encrypted blobs

CVE-2025-34091 - July 02, 2025

A padding oracle vulnerability exists in Google Chromes AppBound cookie encryption mechanism due to observable decryption failure behavior in Windows Event Logs when handling malformed ciphertext in SYSTEM-DPAPI-encrypted blobs. A local attacker can repeatedly send malformed ciphertexts to the Chrome elevation service and distinguish between padding and MAC errors, enabling a padding oracle attack. This allows partial decryption of the SYSTEM-DPAPI layer and eventual recovery of the user-DPAPI encrypted cookie key, which is trivially decrypted by the attackers own context. This issue undermines the core purpose of AppBound Encryption by enabling low-privileged cookie theft through cryptographic misuse and verbose error feedback. Confirmed in Google Chrome with AppBound Encryption enabled. Other Chromium-based browsers may be affected if they implement similar COM-based encryption mechanisms. This behavior arises from a combination of Chromes AppBound implementation and the way Microsoft Windows DPAPI reports decryption failures via Event Logs. As such, the vulnerability relies on cryptographic behavior and error visibility in all supported versions of Windows.

conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository

CVE-2025-49824 - June 17, 2025

conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_encrypt_binstar_token implementation in the conda-smithy package has been identified as vulnerable to an Oracle Padding Attack. This vulnerability results from the use of an outdated and insecure padding scheme during RSA encryption. A malicious actor with access to an oracle system can exploit this flaw by iteratively submitting modified ciphertexts and analyzing responses to infer the plaintext without possessing the private key. This issue has been patched in version 3.47.1.

Information Disclosure

XWiki is a generic wiki platform

CVE-2024-56158 - June 12, 2025

XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.

SQL Injection

A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could

CVE-2025-20286 9.9 - Critical - June 04, 2025

A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. This vulnerability exists because credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, resulting in different Cisco ISE deployments sharing the same credentials. These credentials are shared across multiple Cisco ISE deployments as long as the software release and cloud platform are the same. An attacker could exploit this vulnerability by extracting the user credentials from Cisco ISE that is deployed in the cloud and then using them to access Cisco ISE that is deployed in other cloud environments through unsecured ports. A successful exploit could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. Note: If the Primary Administration node is deployed in the cloud, then Cisco ISE is affected by this vulnerability. If the Primary Administration node is on-premises, then it is not affected.

Use of Hard-coded Password

Keystone is a content management system for Node.js

CVE-2025-46720 - May 05, 2025

Keystone is a content management system for Node.js. Prior to version 6.5.0, `{field}.isFilterable` access control can be bypassed in `update` and `delete` mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields. Specifically, when a mutation includes a `where` clause with multiple unique filters (e.g. `id` and `email`), Keystone will attempt to match records even if filtering by the latter fields would normally be rejected by `field.isFilterable` or `list.defaultIsFilterable`. This can allow malicious actors to infer the presence of a particular field value when a filter is successful in returning a result. This affects any project relying on the default or dynamic `isFilterable` behavior (at the list or field level) to prevent external users from using the filtering of fields as a discovery mechanism. While this access control is respected during `findMany` operations, it was not completely enforced during `update` and `delete` mutations when accepting more than one unique `where` values in filters. This has no impact on projects using `isFilterable: false` or `defaultIsFilterable: false` for sensitive fields, or for those who have otherwise omitted filtering by these fields from their GraphQL schema. This issue has been patched in `@keystone-6/core` version 6.5.0. To mitigate this issue in older versions where patching is not a viable pathway, set `isFilterable: false` statically for relevant fields to prevent filtering by them earlier in the access control pipeline (that is, don't use functions); set `{field}.graphql.omit.read: true` for relevant fields, which implicitly removes filtering by these fields from the GraphQL schema; and/or deny `update` and `delete` operations for the relevant lists completely.

Information Disclosure

OpenGrok 1.13.25 has a reflected Cross-Site Scripting (XSS) issue when producing the history view page

CVE-2025-21572 6.1 - Medium - May 02, 2025

OpenGrok 1.13.25 has a reflected Cross-Site Scripting (XSS) issue when producing the history view page. This happens through improper handling of path segments. The application reflects unsanitized user input into the HTML output.

Open Policy Agent (OPA) is an open source, general-purpose policy engine

CVE-2025-46569 - May 01, 2025

Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPAs RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons.

Code Injection

The TheCartPress boot-store (aka Boot Store) theme 1.6.4 for WordPress allows header.php tcp_register_error XSS

CVE-2015-4582 6.1 - Medium - April 28, 2025

The TheCartPress boot-store (aka Boot Store) theme 1.6.4 for WordPress allows header.php tcp_register_error XSS. NOTE: CVE-2015-4582 is not assigned to any Oracle product.

XSS

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J)

CVE-2025-30706 7.5 - High - April 15, 2025

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 9.0.0-9.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Attachments, File Upload)

CVE-2025-30718 5.4 - Medium - April 15, 2025

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Attachments, File Upload). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Attachments, File Upload)

CVE-2025-30711 5.4 - Medium - April 15, 2025

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Attachments, File Upload). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)

CVE-2025-30719 6.1 - Medium - April 15, 2025

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.1.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H).

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)

CVE-2025-30725 6.7 - Medium - April 15, 2025

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.1.6. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H).

Vulnerability in the Java VM component of Oracle Database Server

CVE-2025-30736 7.4 - High - April 15, 2025

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.26, 21.3-21.17 and 23.4-23.7. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java VM accessible data as well as unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Vulnerability in the PeopleSoft Enterprise CC Common Application Objects product of Oracle PeopleSoft (component: Page and Field Configuration)

CVE-2025-30735 8.1 - High - April 15, 2025

Vulnerability in the PeopleSoft Enterprise CC Common Application Objects product of Oracle PeopleSoft (component: Page and Field Configuration). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise CC Common Application Objects. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise CC Common Application Objects accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise CC Common Application Objects accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF)

CVE-2025-30721 4 - Medium - April 15, 2025

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H).

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services)

CVE-2025-30715 4.9 - Medium - April 15, 2025

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: NDBCluster Plugin)

CVE-2025-30710 4.9 - Medium - April 15, 2025

Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: NDBCluster Plugin). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Cluster. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Orders)

CVE-2025-30720 6.1 - Medium - April 15, 2025

Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Orders). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Configurator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Configurator accessible data as well as unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Vulnerability in the Oracle Communications Order and Service Management product of Oracle Communications Applications (component: Security)

CVE-2025-30729 5.5 - Medium - April 15, 2025

Vulnerability in the Oracle Communications Order and Service Management product of Oracle Communications Applications (component: Security). Supported versions that are affected are 7.4.0, 7.4.1 and 7.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Order and Service Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Order and Service Management accessible data as well as unauthorized read access to a subset of Oracle Communications Order and Service Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Order and Service Management. CVSS 3.1 Base Score 5.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L).

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services)

CVE-2025-30724 7.5 - High - April 15, 2025

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Supported versions that are affected are 7.6.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: User Management)

CVE-2025-30707 7.5 - High - April 15, 2025

Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: User Management). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle User Management product of Oracle E-Business Suite (component: Search and Register Users)

CVE-2025-30708 7.5 - High - April 15, 2025

Vulnerability in the Oracle User Management product of Oracle E-Business Suite (component: Search and Register Users). Supported versions that are affected are 12.2.4-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle User Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle User Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle Smart View for Office product of Oracle Hyperion (component: Core Smart View)

CVE-2025-30737 5.7 - Medium - April 15, 2025

Vulnerability in the Oracle Smart View for Office product of Oracle Hyperion (component: Core Smart View). The supported version that is affected is 24.200. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Smart View for Office. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Smart View for Office accessible data as well as unauthorized access to critical data or complete access to all Oracle Smart View for Office accessible data. CVSS 3.1 Base Score 5.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N).

Vulnerability in the Oracle Common Applications product of Oracle E-Business Suite (component: CRM User Management Framework)

CVE-2025-30716 7.5 - High - April 15, 2025

Vulnerability in the Oracle Common Applications product of Oracle E-Business Suite (component: CRM User Management Framework). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Common Applications. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Common Applications accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle Teleservice product of Oracle E-Business Suite (component: Service Diagnostics Scripts)

CVE-2025-30717 6.5 - Medium - April 15, 2025

Vulnerability in the Oracle Teleservice product of Oracle E-Business Suite (component: Service Diagnostics Scripts). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Teleservice. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Teleservice accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: Core)

CVE-2025-30730 7.5 - High - April 15, 2025

Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: Core). Supported versions that are affected are 12.2.5-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Application Object Library. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Vulnerability in the Oracle Applications Technology Stack product of Oracle E-Business Suite (component: Configuration)

CVE-2025-30731 3.6 - Low - April 15, 2025

Vulnerability in the Oracle Applications Technology Stack product of Oracle E-Business Suite (component: Configuration). Supported versions that are affected are 12.2.3-12.2.14. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Applications Technology Stack executes to compromise Oracle Applications Technology Stack. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Technology Stack accessible data as well as unauthorized read access to a subset of Oracle Applications Technology Stack accessible data. CVSS 3.1 Base Score 3.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).

Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: Core)

CVE-2025-30732 6.1 - Medium - April 15, 2025

Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: Core). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Object Library, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Object Library accessible data as well as unauthorized read access to a subset of Oracle Application Object Library accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Vulnerability in the MySQL Client product of Oracle MySQL (component: Client: mysqldump)

CVE-2025-30722 6.8 - Medium - April 15, 2025

Vulnerability in the MySQL Client product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Client accessible data as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N).

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC)

CVE-2025-30709 6.1 - Medium - April 15, 2025

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)

CVE-2025-30712 8.1 - High - April 15, 2025

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.1.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).

Vulnerability in the PeopleSoft Enterprise HCM Talent Acquisition Manager product of Oracle PeopleSoft (component: Job Opening)

CVE-2025-30713 5.4 - Medium - April 15, 2025

Vulnerability in the PeopleSoft Enterprise HCM Talent Acquisition Manager product of Oracle PeopleSoft (component: Job Opening). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Talent Acquisition Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Talent Acquisition Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Talent Acquisition Manager accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Talent Acquisition Manager accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC)

CVE-2025-30740 6.5 - Medium - April 15, 2025

Vulnerability in the Oracle Application Object Library product of Oracle E-Business Suite (component: Core)

CVE-2025-30726 5.3 - Medium - April 15, 2025

Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: iSurvey Module)

CVE-2025-30727 9.8 - Critical - April 15, 2025

Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: iSurvey Module). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks of this vulnerability can result in takeover of Oracle Scripting. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Core)

CVE-2025-30728 7.5 - High - April 15, 2025

Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Core). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python)

CVE-2025-30714 4.8 - Medium - April 15, 2025

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 9.0.0-9.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services)

CVE-2025-30723 5.4 - Medium - April 15, 2025

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Supported versions that are affected are 7.6.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle BI Publisher. CVSS 3.1 Base Score 5.4 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).

Vulnerability in the RDBMS Listener component of Oracle Database Server

CVE-2025-30733 6.5 - Medium - April 15, 2025

Vulnerability in the RDBMS Listener component of Oracle Database Server. Supported versions that are affected are 19.3-19.26, 21.3-21.17 and 23.4-23.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise RDBMS Listener. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all RDBMS Listener accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Attachments)

CVE-2025-30692 6.5 - Medium - April 15, 2025

Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Attachments). Supported versions that are affected are 12.2.7-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iSupplier Portal. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iSupplier Portal accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Personalization Server)

CVE-2025-21576 5.4 - Medium - April 15, 2025

Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Personalization Server). Supported versions that are affected are 11.3.0, 11.3.1 and 11.3.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Commerce Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Commerce Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Commerce Platform accessible data as well as unauthorized read access to a subset of Oracle Commerce Platform accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE)

CVE-2025-21587 7.4 - High - April 15, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition:20.3.17 and 21.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC)

CVE-2025-21586 5.4 - Medium - April 15, 2025

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Vulnerability in the XML Database component of Oracle Database Server

CVE-2025-30694 5.4 - Medium - April 15, 2025

Vulnerability in the XML Database component of Oracle Database Server. Supported versions that are affected are 19.3-19.26, 21.3-21.17 and 23.4-23.7. Easily exploitable vulnerability allows low privileged attacker having User Account privilege with network access via HTTP to compromise XML Database. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in XML Database, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of XML Database accessible data as well as unauthorized read access to a subset of XML Database accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication)

CVE-2025-30681 2.7 - Low - April 15, 2025

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module)

CVE-2025-30700 3.5 - Low - April 15, 2025

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Solaris accessible data. CVSS 3.1 Base Score 3.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N).

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystem)

CVE-2025-30690 7.2 - High - April 15, 2025

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystem). The supported version that is affected is 11. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Solaris, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Panel Processor)

CVE-2025-30697 5.4 - Medium - April 15, 2025

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Panel Processor). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB)

CVE-2025-30703 2.7 - Low - April 15, 2025

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).