Vulnerability-Lookup

URL	Tags
https://spring.io/security/cve-2025-41248

Vendor	Product	Version
VMware	Spring Security	Affected: 6.4.x , < 6.4.11 (OSS) Affected: 6.5.x , < 6.5.5 (OSS)

CERTFR-2026-AVI-0292

Vulnerability from certfr_avis - Published: 2026-03-13 - Updated: 2026-03-13

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	WebSphere Service Registry and Repository	WebSphere Service Registry and Repository versions 8.5 antérieures à 8.5.5.30
IBM	Sterling Control Center	Sterling Control Center versions 6.4.1 antérieures à 6.4.1.0 iFix01
IBM	Sterling Control Center	Sterling Control Center versions 6.3.x antérieures à 6.3.1.0 iFix06
IBM	N/A	Sterling Secure Proxy versions 6.2.0 antérieures à 6.2.0.3 GA
IBM	Sterling Partner Engagement Manager Standard Edition	Sterling Partner Engagement Manager Standard Edition versions 6.2.3 antérieures à 6.2.3.6
IBM	N/A	Sterling Secure Proxy versions 6.2.1 antérieures à 6.2.1.2 GA
IBM	N/A	Sterling Secure Proxy versions 6.1.0 antérieures à 6.1.0.3 GA
IBM	Sterling Partner Engagement Manager Essentials Edition	Sterling Partner Engagement Manager Essentials Edition versions 6.2.3 antérieures à 6.2.3.6
IBM	Sterling Partner Engagement Manager Standard Edition	Sterling Partner Engagement Manager Standard Edition versions 6.2.4 antérieures à 6.2.4.3
IBM	Sterling Partner Engagement Manager Essentials Edition	Sterling Partner Engagement Manager Essentials Edition versions 6.2.4 antérieures à 6.2.4.3
IBM	Sterling Control Center	Sterling Control Center versions 6.4.0 antérieures à 6.4.0.0 iFix02

References

Title

Publication Time

CERTFR-2026-AVI-0556

Vulnerability from certfr_avis - Published: 2026-05-11 - Updated: 2026-05-11

De multiples vulnérabilités ont été découvertes dans les produits VMware. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
VMware	Tanzu	Tanzu RabbitMQ on Kubernetes versions 31.3.x antérieures à 3.13.15
VMware	Tanzu Greenplum	Tanzu Greenplum Streaming Server For Kubernetes versions antérieures à 1.3.0
VMware	Tanzu	Tanzu Data Flow on Kubernetes versions antérieures à 2.1.0
VMware	Tanzu	Tanzu RabbitMQ on Kubernetes versions 4.0.x antérieures à 4.0.20
VMware	Tanzu Greenplum	Tanzu Greenplum Backup and Restore versions antérieures à1.33.0
VMware	Tanzu Greenplum	Tanzu Greenplum Data Copy Utility versions antérieures à 2.9.3
VMware	Tanzu	Tanzu for Valkey on Kubernetes versions antérieures à 3.3.4
VMware	Tanzu Greenplum	Tanzu Greenplum Command Center versions 6.17.x antérieures à 6.17.0
VMware	Tanzu Greenplum	Tanzu Greenplum on Kubernetes versions antérieures à 1.1.0
VMware	Tanzu Greenplum	Tanzu Greenplum Platform Extension Framework versions antérieures à 8.0.0
VMware	Tanzu	Tanzu RabbitMQ on Kubernetes versions 4.2.x antérieures à 4.2.6
VMware	Tanzu Greenplum	Tanzu Greenplum Text versions antérieures à 4.0.0
VMware	Tanzu Greenplum	Tanzu Greenplum Streaming Server versions antérieures à 2.3.0
VMware	Tanzu	Tanzu RabbitMQ on Kubernetes versions 4.3.x antérieures à 4.3.0
VMware	Tanzu	Tanzu for Valkey on Kubernetes versions antérieures à 3.4.0
VMware	Tanzu Gemfire	Tanzu GemFire versions antérieures à 10.2.3
VMware	Tanzu Greenplum	Tanzu Greenplum Upgrade versions antérieures à 2.0.0
VMware	Tanzu Greenplum	Tanzu Greenplumversions antérieures à 7.8.0
VMware	Tanzu Gemfire	Tanzu GemFire Vector Database versions antérieures à 1.2.2
VMware	Tanzu Greenplum	Tanzu Greenplum versions antérieures à 6.33.0
VMware	Tanzu Greenplum	Tanzu Greenplum Command Center versions 7.7.x antérieures à 7.7.0
VMware	Tanzu	Tanzu RabbitMQ on Kubernetes versions 4.1.x antérieures à 4.1.11
VMware	Tanzu	Tanzu for MySQL on Kubernetes versions antérieures à 2.0.3

References

Title

Publication Time

CERTFR-2026-AVI-0667

Vulnerability from certfr_avis - Published: 2026-05-29 - Updated: 2026-05-29

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Cognos Analytics	Cognos Analytics Mobile versions antérieures à 1.1.26
IBM	Sterling Control Center	Sterling Control Center versions 6.3.1.0 sans le correctif iFix09
IBM	Tivoli Monitoring	Tivoli Monitoring sans le dernier correctif de sécurité
IBM	QRadar SIEM	QRadar SIEM versions 7.5.0 antérieures à 7.5.0 UP15 IF03
IBM	Sterling Control Center	Sterling Control Center versions 6.4.2.0 sans le correctif iFix04
IBM	QRadar Suite Software	QRadar Suite Software versions antérieures à 1.11.11.0
IBM	N/A	Analyst Workflow versions antérieures à 3.1.0
IBM	Cloud Pak	Cloud Pak for Security versions antérieures à 1.11.11.0
IBM	Sterling Control Center	Sterling Control Center versions 6.4.1.0 sans le correctif iFix03

References

Title

Publication Time

FKIE_CVE-2025-41248

Vulnerability from fkie_nvd - Published: 2025-09-16 11:15 - Updated: 2026-04-15 00:35

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249 .

References

	URL	Tags
	security@vmware.com	https://spring.io/security/cve-2025-41248

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize\u00a0and other method security annotations, resulting in an authorization bypass.\n\nYour application may be affected by this if you are using Spring Security\u0027s @EnableMethodSecurity\u00a0feature.\n\nYou are not affected by this if you are not using @EnableMethodSecurity\u00a0or if you do not use security annotations on methods in generic superclasses or generic interfaces.\n\nThis CVE is published in conjunction with  CVE-2025-41249 https://spring.io/security/cve-2025-41249 ."
    }
  ],
  "id": "CVE-2025-41248",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security@vmware.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-16T11:15:30.257",
  "references": [
    {
      "source": "security@vmware.com",
      "url": "https://spring.io/security/cve-2025-41248"
    }
  ],
  "sourceIdentifier": "security@vmware.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-289"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-8V5Q-RHF3-JPHM

Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-09-16 21:34

Summary

Spring Security annotation detection mechanism has authorization bypass

Details

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass.

Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.

You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.

This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249 .

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.security:spring-security-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.4.0"
            },
            {
              "fixed": "6.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.security:spring-security-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.5.0"
            },
            {
              "fixed": "6.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-41248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-289",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-16T19:34:33Z",
    "nvd_published_at": "2025-09-16T11:15:30Z",
    "severity": "HIGH"
  },
  "details": "The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize\u00a0and other method security annotations, resulting in an authorization bypass.\n\nYour application may be affected by this if you are using Spring Security\u0027s @EnableMethodSecurity\u00a0feature.\n\nYou are not affected by this if you are not using @EnableMethodSecurity\u00a0or if you do not use security annotations on methods in generic superclasses or generic interfaces.\n\nThis CVE is published in conjunction with  CVE-2025-41249 https://spring.io/security/cve-2025-41249 .",
  "id": "GHSA-8v5q-rhf3-jphm",
  "modified": "2025-09-16T21:34:17Z",
  "published": "2025-09-16T15:32:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41248"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-security/issues/17898"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-security/issues/17899"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-security/commit/d0f93fa6d8338149943ae640c53db07de827867f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-security/commit/e5694ac7b5e4394b920c6cab48b7bfbd871f84bd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spring-projects/spring-security"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-security/releases/tag/6.4.10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-security/releases/tag/6.5.4"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2025-41248"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spring Security annotation detection mechanism has authorization bypass"
}

JVNDB-2026-010299

Vulnerability from jvndb - Published: 2026-04-08 12:11 - Updated:2026-04-08 12:11

Summary

Multiple Vulnerabilities in Hitachi Ops Center Common Services

Details

Multiple vulnerabilities exist in Hitachi Ops Center Common Services. CVE-2024-4028, CVE-2025-8714, CVE-2025-8715, CVE-2025-10044, CVE-2025-12817, CVE-2025-12818, CVE-2025-41248, CVE-2025-41249, CVE-2026-1190

References

Type

URL

	CVE	https://www.cve.org/CVERecord?id=CVE-2024-4028
	CVE	https://www.cve.org/CVERecord?id=CVE-2025-10044
	CVE	https://www.cve.org/CVERecord?id=CVE-2025-12817
	CVE	https://www.cve.org/CVERecord?id=CVE-2025-12818
	CVE	https://www.cve.org/CVERecord?id=CVE-2025-41248
	CVE	https://www.cve.org/CVERecord?id=CVE-2025-41249
	CVE	https://www.cve.org/CVERecord?id=CVE-2025-8714
	CVE	https://www.cve.org/CVERecord?id=CVE-2025-8715
	CVE	https://www.cve.org/CVERecord?id=CVE-2026-1190

Impacted products

Vendor

Product

Hitachi, Ltd

Hitachi Ops Center Common Services

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-010299.html",
  "dc:date": "2026-04-08T12:11+09:00",
  "dcterms:issued": "2026-04-08T12:11+09:00",
  "dcterms:modified": "2026-04-08T12:11+09:00",
  "description": "Multiple vulnerabilities exist in Hitachi Ops Center Common Services.\r\n\r\nCVE-2024-4028, CVE-2025-8714, CVE-2025-8715, CVE-2025-10044, CVE-2025-12817, CVE-2025-12818, CVE-2025-41248, CVE-2025-41249, CVE-2026-1190",
  "link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-010299.html",
  "sec:cpe": {
    "#text": "cpe:/a:hitachi:ops_center_common_services",
    "@product": "Hitachi Ops Center Common Services",
    "@vendor": "Hitachi, Ltd",
    "@version": "2.2"
  },
  "sec:identifier": "JVNDB-2026-010299",
  "sec:references": [
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-4028",
      "@id": "CVE-2024-4028",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-10044",
      "@id": "CVE-2025-10044",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-12817",
      "@id": "CVE-2025-12817",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-12818",
      "@id": "CVE-2025-12818",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-41248",
      "@id": "CVE-2025-41248",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-41249",
      "@id": "CVE-2025-41249",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-8714",
      "@id": "CVE-2025-8714",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-8715",
      "@id": "CVE-2025-8715",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2026-1190",
      "@id": "CVE-2026-1190",
      "@source": "CVE"
    }
  ],
  "title": "Multiple Vulnerabilities in Hitachi Ops Center Common Services"
}

NCSC-2025-0293

Vulnerability from csaf_ncscnl - Published: 2025-09-16 13:38 - Updated: 2025-09-16 13:38

Summary

Kwetsbaarheden verholpen in Spring Framework

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: VMWare heeft kwetsbaarheden verholpen in de Spring Security framework.

Interpretaties: De kwetsbaarheden bevinden zich in de manier waarop het Spring Security framework annotaties detecteert, met name in typehiërarchieën die gebruikmaken van geparametriseerde supertypes met onbeperkte generics. Dit kan leiden tot een autorisatie-omzeiling wanneer gebruik wordt gemaakt van methodesecurity-annotaties zoals @PreAuthorize, vooral als @EnableMethodSecurity is ingeschakeld. Deze problemen zijn bijzonder kritisch voor applicaties die afhankelijk zijn van deze beveiligingsannotaties voor toegangscontrole.

Oplossingen: VMware heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-305: Authentication Bypass by Primary Weakness

CVE-2025-41248

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* VMware / Spring Framework		vers:unknown/*
vers:unknown/* VMware / Spring Security		vers:unknown/*

CVE-2025-41249

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* VMware / Spring Framework		vers:unknown/*
vers:unknown/* VMware / Spring Security		vers:unknown/*

References

3 references

URL	Category
https://spring.io/blog/2025/09/15/spring-framewor…	external
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "VMWare heeft kwetsbaarheden verholpen in de Spring Security framework.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden bevinden zich in de manier waarop het Spring Security framework annotaties detecteert, met name in typehi\u00ebrarchie\u00ebn die gebruikmaken van geparametriseerde supertypes met onbeperkte generics. Dit kan leiden tot een autorisatie-omzeiling wanneer gebruik wordt gemaakt van methodesecurity-annotaties zoals @PreAuthorize, vooral als @EnableMethodSecurity is ingeschakeld. Deze problemen zijn bijzonder kritisch voor applicaties die afhankelijk zijn van deze beveiligingsannotaties voor toegangscontrole.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "VMware heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Authentication Bypass by Primary Weakness",
        "title": "CWE-305"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://spring.io/blog/2025/09/15/spring-framework-and-spring-security-fixes-for-CVE-2025-41249-and-CVE-2025-41248"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Spring Framework",
    "tracking": {
      "current_release_date": "2025-09-16T13:38:44.960337Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2025-0293",
      "initial_release_date": "2025-09-16T13:38:44.960337Z",
      "revision_history": [
        {
          "date": "2025-09-16T13:38:44.960337Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Spring Framework"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Spring Security"
          }
        ],
        "category": "vendor",
        "name": "VMware"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-41248",
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-41248 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41248.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-41248"
    },
    {
      "cve": "CVE-2025-41249",
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-41249 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41249.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-41249"
    }
  ]
}

NCSC-2026-0025

Vulnerability from csaf_ncscnl - Published: 2026-01-21 09:55 - Updated: 2026-01-21 09:55

Summary

Kwetsbaarheden verholpen in Oracle Financial Services

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Oracle heeft kwetsbaarheden verholpen in verschillende producten, waaronder Oracle Banking Liquidity Management, Oracle Financial Services Model Management en Oracle FLEXCUBE.

Interpretaties: De kwetsbaarheden in de Oracle producten stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot gevoelige gegevens en Denial-of-Service (DoS) aan te richten. Dit kan leiden tot vertrouwelijkheids- en integriteitsrisico's. Specifieke kwetsbaarheden omvatten onjuist beheer van verbindingen en onvoldoende invoervalidatie wat kan resulteren in systeemcompromittering en serviceonderbrekingen.

Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-125: Out-of-bounds Read

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-284: Improper Access Control

CWE-285: Improper Authorization

CWE-287: Improper Authentication

CWE-289: Authentication Bypass by Alternate Name

CWE-400: Uncontrolled Resource Consumption

CWE-404: Improper Resource Shutdown or Release

CWE-521: Weak Password Requirements

CWE-674: Uncontrolled Recursion

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-787: Out-of-bounds Write

CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

CWE-863: Incorrect Authorization

CWE-918: Server-Side Request Forgery (SSRF)

CWE-937: CWE-937

CWE-1035: CWE-1035

CVE-2025-5115

Multiple vulnerabilities, including the 'MadeYouReset' attack in HTTP/2 and unauthenticated issues in Oracle products, can lead to denial of service across various platforms such as Eclipse Jetty and SAP Commerce Cloud.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-9230

Multiple vulnerabilities related to out-of-bounds read and write issues in OpenSSL affect various products, with moderate severity assessments and low likelihood of successful exploitation.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-125 - Out-of-bounds Read

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-22228

Multiple vulnerabilities have been identified across Oracle and NetApp products, including critical issues in Oracle Banking Liquidity Management and Spring Security flaws affecting sensitive data integrity.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-521 - Weak Password Requirements

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-27817

Multiple vulnerabilities across Apache Kafka and Oracle products allow unauthorized access to sensitive data, with notable SSRF risks and CVSS scores of 7.5 for several Oracle systems.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-918 - Server-Side Request Forgery (SSRF)

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-41248

Recent vulnerabilities in Oracle Financial Services Model Management and Spring Framework versions expose critical data and may lead to authorization bypass, with significant confidentiality impacts.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-289 - Authentication Bypass by Alternate Name

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-41249

Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-285 - Improper Authorization

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-48734

Recent updates to Apache Commons BeanUtils and Oracle products address multiple vulnerabilities, including remote code execution and system compromise risks, affecting various versions and components.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-284 - Improper Access Control

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-48795

Multiple vulnerabilities in Oracle's Primavera P6 and WebCenter Forms Recognition, along with an Apache CXF bug and issues in HPE Telco Service Activator, expose systems to unauthorized data access and potential denial of service.

5.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-48924

Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-48976

Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-49796

Multiple vulnerabilities across Oracle Banking Branch and Oracle Communications Cloud Native Core Certificate Management products, as well as libxml2, could lead to critical data compromise and denial of service, with CVSS scores reaching 9.1.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE-125 - Out-of-bounds Read

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-55163

Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the 'MadeYouReset' attack in HTTP/2, which can lead to denial of service and resource exhaustion.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-61795

Apache Tomcat and Oracle Communications Unified Assurance have critical vulnerabilities related to Denial of Service (DoS) risks, affecting multiple versions and requiring updates to address issues like improper resource shutdown and HTTP access exploitation.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-404 - Improper Resource Shutdown or Release

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2025-66418

The urllib3 library had a vulnerability allowing unbounded decompression chains, leading to potential Denial of Service (DoS) attacks due to excessive CPU and memory usage, fixed in version 2.6.0.

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2026-21973

A vulnerability in Oracle FLEXCUBE Investor Servicing versions 14.5.0.15.0, 14.7.0.8.0, and 14.8.0.1.0 allows low privileged attackers to exploit it via HTTP, leading to unauthorized access and modification of critical data.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

CVE-2026-21978

A vulnerability in Oracle FLEXCUBE Universal Banking (versions 14.0.0.0.0-14.8.0.0.0) allows low privileged attackers with HTTP access to potentially gain unauthorized access to critical data, rated with a CVSS 3.1 Base Score of 6.5.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Cash Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Liquidity Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Supply Chain Finance		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Investor Servicing		vers:unknown/*
vers:unknown/* Oracle / Oracle FLEXCUBE Universal Banking		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Insurance Policy Administration J2EE		vers:unknown/*

References

17 references

URL	Category
https://www.oracle.com/security-alerts/cpujan2026.html	external
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Oracle heeft kwetsbaarheden verholpen in verschillende producten, waaronder Oracle Banking Liquidity Management, Oracle Financial Services Model Management en Oracle FLEXCUBE.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden in de Oracle producten stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot gevoelige gegevens en Denial-of-Service (DoS) aan te richten. Dit kan leiden tot vertrouwelijkheids- en integriteitsrisico\u0027s. Specifieke kwetsbaarheden omvatten onjuist beheer van verbindingen en onvoldoende invoervalidatie wat kan resulteren in systeemcompromittering en serviceonderbrekingen.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Read",
        "title": "CWE-125"
      },
      {
        "category": "general",
        "text": "Exposure of Sensitive Information to an Unauthorized Actor",
        "title": "CWE-200"
      },
      {
        "category": "general",
        "text": "Improper Access Control",
        "title": "CWE-284"
      },
      {
        "category": "general",
        "text": "Improper Authorization",
        "title": "CWE-285"
      },
      {
        "category": "general",
        "text": "Improper Authentication",
        "title": "CWE-287"
      },
      {
        "category": "general",
        "text": "Authentication Bypass by Alternate Name",
        "title": "CWE-289"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "Weak Password Requirements",
        "title": "CWE-521"
      },
      {
        "category": "general",
        "text": "Uncontrolled Recursion",
        "title": "CWE-674"
      },
      {
        "category": "general",
        "text": "Allocation of Resources Without Limits or Throttling",
        "title": "CWE-770"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Write",
        "title": "CWE-787"
      },
      {
        "category": "general",
        "text": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
        "title": "CWE-843"
      },
      {
        "category": "general",
        "text": "Incorrect Authorization",
        "title": "CWE-863"
      },
      {
        "category": "general",
        "text": "Server-Side Request Forgery (SSRF)",
        "title": "CWE-918"
      },
      {
        "category": "general",
        "text": "CWE-937",
        "title": "CWE-937"
      },
      {
        "category": "general",
        "text": "CWE-1035",
        "title": "CWE-1035"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Oracle Financial Services",
    "tracking": {
      "current_release_date": "2026-01-21T09:55:33.889125Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2026-0025",
      "initial_release_date": "2026-01-21T09:55:33.889125Z",
      "revision_history": [
        {
          "date": "2026-01-21T09:55:33.889125Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Banking Branch"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Banking Cash Management"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-3"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Banking Corporate Lending Process Management"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-4"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Banking Liquidity Management"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-5"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Banking Supply Chain Finance"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-6"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle FLEXCUBE Investor Servicing"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-7"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle FLEXCUBE Universal Banking"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-8"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Financial Services Compliance Studio"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-9"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Financial Services Model Management and Governance"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-10"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Insurance Policy Administration J2EE"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-5115",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2 and unauthenticated issues in Oracle products, can lead to denial of service across various platforms such as Eclipse Jetty and SAP Commerce Cloud.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-5115 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5115.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-5115"
    },
    {
      "cve": "CVE-2025-9230",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        },
        {
          "category": "other",
          "text": "Out-of-bounds Write",
          "title": "CWE-787"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities related to out-of-bounds read and write issues in OpenSSL affect various products, with moderate severity assessments and low likelihood of successful exploitation.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-9230 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-9230.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-9230"
    },
    {
      "cve": "CVE-2025-22228",
      "cwe": {
        "id": "CWE-521",
        "name": "Weak Password Requirements"
      },
      "notes": [
        {
          "category": "other",
          "text": "Weak Password Requirements",
          "title": "CWE-521"
        },
        {
          "category": "other",
          "text": "Improper Authentication",
          "title": "CWE-287"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified across Oracle and NetApp products, including critical issues in Oracle Banking Liquidity Management and Spring Security flaws affecting sensitive data integrity.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-22228 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-22228.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-22228"
    },
    {
      "cve": "CVE-2025-27817",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Server-Side Request Forgery (SSRF)",
          "title": "CWE-918"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Apache Kafka and Oracle products allow unauthorized access to sensitive data, with notable SSRF risks and CVSS scores of 7.5 for several Oracle systems.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-27817 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27817.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-27817"
    },
    {
      "cve": "CVE-2025-41248",
      "cwe": {
        "id": "CWE-289",
        "name": "Authentication Bypass by Alternate Name"
      },
      "notes": [
        {
          "category": "other",
          "text": "Authentication Bypass by Alternate Name",
          "title": "CWE-289"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Financial Services Model Management and Spring Framework versions expose critical data and may lead to authorization bypass, with significant confidentiality impacts.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-41248 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41248.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-41248"
    },
    {
      "cve": "CVE-2025-41249",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Authorization",
          "title": "CWE-285"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-41249 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41249.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-41249"
    },
    {
      "cve": "CVE-2025-48734",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        },
        {
          "category": "description",
          "text": "Recent updates to Apache Commons BeanUtils and Oracle products address multiple vulnerabilities, including remote code execution and system compromise risks, affecting various versions and components.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48734 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48734.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-48734"
    },
    {
      "cve": "CVE-2025-48795",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Exposure of Sensitive Information to an Unauthorized Actor",
          "title": "CWE-200"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Oracle\u0027s Primavera P6 and WebCenter Forms Recognition, along with an Apache CXF bug and issues in HPE Telco Service Activator, expose systems to unauthorized data access and potential denial of service.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48795 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48795.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-48795"
    },
    {
      "cve": "CVE-2025-48924",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48924 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48924.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-48924"
    },
    {
      "cve": "CVE-2025-48976",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48976 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-48976"
    },
    {
      "cve": "CVE-2025-49796",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Banking Branch and Oracle Communications Cloud Native Core Certificate Management products, as well as libxml2, could lead to critical data compromise and denial of service, with CVSS scores reaching 9.1.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49796 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49796.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-49796"
    },
    {
      "cve": "CVE-2025-55163",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2, which can lead to denial of service and resource exhaustion.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-55163 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-55163"
    },
    {
      "cve": "CVE-2025-61795",
      "cwe": {
        "id": "CWE-404",
        "name": "Improper Resource Shutdown or Release"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Apache Tomcat and Oracle Communications Unified Assurance have critical vulnerabilities related to Denial of Service (DoS) risks, affecting multiple versions and requiring updates to address issues like improper resource shutdown and HTTP access exploitation.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-61795 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-61795.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-61795"
    },
    {
      "cve": "CVE-2025-66418",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "The urllib3 library had a vulnerability allowing unbounded decompression chains, leading to potential Denial of Service (DoS) attacks due to excessive CPU and memory usage, fixed in version 2.6.0.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-66418 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-66418.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2025-66418"
    },
    {
      "cve": "CVE-2026-21973",
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability in Oracle FLEXCUBE Investor Servicing versions 14.5.0.15.0, 14.7.0.8.0, and 14.8.0.1.0 allows low privileged attackers to exploit it via HTTP, leading to unauthorized access and modification of critical data.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-21973 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21973.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2026-21973"
    },
    {
      "cve": "CVE-2026-21978",
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability in Oracle FLEXCUBE Universal Banking (versions 14.0.0.0.0-14.8.0.0.0) allows low privileged attackers with HTTP access to potentially gain unauthorized access to critical data, rated with a CVSS 3.1 Base Score of 6.5.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-21978 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21978.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10"
          ]
        }
      ],
      "title": "CVE-2026-21978"
    }
  ]
}

NCSC-2026-0027

Vulnerability from csaf_ncscnl - Published: 2026-01-21 10:08 - Updated: 2026-01-21 10:08

Summary

Kwetsbaarheden verholpen in Oracle Fusion Middleware

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Oracle heeft kwetsbaarheden verholpen in verschillende producten, waaronder Oracle HTTP Server, Oracle WebLogic Server, en Oracle Fusion Middleware.

Interpretaties: De kwetsbaarheden in de Oracle producten stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot gevoelige gegevens, Denial-of-Service (DoS) aanvallen uit te voeren, en de integriteit van systemen te compromitteren. Specifieke kwetsbaarheden omvatten onjuist beheer van HTTP-headers, ongecontroleerde recursie, en onvoldoende bufferbeperkingen, wat kan leiden tot systeemcrashes en gegevensverlies.

Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-20: Improper Input Validation

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE-117: Improper Output Neutralization for Logs

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-122: Heap-based Buffer Overflow

CWE-125: Out-of-bounds Read

CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences

CWE-209: Generation of Error Message Containing Sensitive Information

CWE-252: Unchecked Return Value

CWE-284: Improper Access Control

CWE-285: Improper Authorization

CWE-289: Authentication Bypass by Alternate Name

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-400: Uncontrolled Resource Consumption

CWE-404: Improper Resource Shutdown or Release

CWE-457: Use of Uninitialized Variable

CWE-476: NULL Pointer Dereference

CWE-611: Improper Restriction of XML External Entity Reference

CWE-674: Uncontrolled Recursion

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-787: Out-of-bounds Write

CWE-827: Improper Control of Document Type Definition

CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

CWE-863: Incorrect Authorization

CWE-918: Server-Side Request Forgery (SSRF)

CWE-937: CWE-937

CWE-1035: CWE-1035

CVE-2021-45105

Multiple vulnerabilities across Apache Log4j, Oracle products, and various dependencies expose systems to denial-of-service and remote code execution risks, necessitating updates to secure versions.

10.0 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2022-41342

Recent vulnerabilities in Oracle products, including the Oracle HTTP Server and Database, allow for potential privilege escalation, remote code execution, and denial of service, with varying CVSS scores indicating significant risk.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-13009

Recent vulnerabilities in Oracle JD Edwards, Oracle Middleware, Eclipse Jetty, HPE Telco IP Mediation, and SAP Commerce Cloud expose systems to unauthorized access and data corruption, with CVSS scores reaching 7.2.

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE-404 - Improper Resource Shutdown or Release

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-42516

Multiple vulnerabilities in Apache HTTP Server and Oracle HTTP Server, including CVE-2023-38709 and CVE-2024-42516, expose systems to risks such as HTTP response splitting, SSRF, and unauthorized access.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-20 - Improper Input Validation

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-43204

Apache HTTP Server versions prior to 2.4.64 are vulnerable to multiple security issues, including SSRF and HTTP response splitting, affecting mod_proxy and mod_headers configurations, with critical vulnerabilities also identified in Oracle HTTP Server.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-918 - Server-Side Request Forgery (SSRF)

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-47252

Multiple vulnerabilities in Apache HTTP Server versions 2.4.63 and earlier, including insufficient escaping in mod_ssl, allow untrusted clients to compromise log integrity and potentially lead to unauthorized access and denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-47554

Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO allow for denial of service attacks, with CVSS scores ranging from 4.3 to 7.5, affecting various versions of these products.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-56406

Multiple vulnerabilities in Oracle Fusion Middleware and Perl, including heap buffer overflows and denial of service risks, affect various versions, with CVSS scores indicating significant severity.

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE-787 - Out-of-bounds Write

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-4949

Multiple vulnerabilities across Oracle Database Server, Oracle Fusion Middleware, and Eclipse JGit expose systems to unauthorized access, severe impacts, and information disclosure through various attack vectors.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-5115

Multiple vulnerabilities, including the 'MadeYouReset' attack in HTTP/2 and unauthenticated issues in Oracle products, can lead to denial of service across various platforms such as Eclipse Jetty and SAP Commerce Cloud.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-12383

Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-23048

Multiple vulnerabilities in Apache HTTP Server versions 2.4.35 to 2.4.63 and Oracle HTTP Server allow unauthorized access, data modification, and denial of service, particularly through TLS session resumption and other exploit vectors.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-284 - Improper Access Control

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-26333

Oracle Database Server and Oracle GoldenGate have Security-in-Depth issues related to Dell BSAFE Crypto-J, which cannot be exploited within their respective contexts, although error messages may expose sensitive information.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-209 - Generation of Error Message Containing Sensitive Information

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-31672

Multiple vulnerabilities have been identified across various Oracle and Apache POI products, including improper input validation and unauthorized data access, affecting versions 5.4.0 and earlier, with CVSS scores of 5.3.

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE-20 - Improper Input Validation

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-41248

Recent vulnerabilities in Oracle Financial Services Model Management and Spring Framework versions expose critical data and may lead to authorization bypass, with significant confidentiality impacts.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-289 - Authentication Bypass by Alternate Name

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-41249

Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-285 - Improper Authorization

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-43967

Oracle Hyperion Financial Reporting (version 11.2.23) has a denial of service vulnerability (CVSS 7.5), while libheif library versions prior to 1.19.6 have a NULL pointer dereference issue in the ImageItem_Grid::get_decoder function.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-476 - NULL Pointer Dereference

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-48924

Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-48976

Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-49796

Multiple vulnerabilities across Oracle Banking Branch and Oracle Communications Cloud Native Core Certificate Management products, as well as libxml2, could lead to critical data compromise and denial of service, with CVSS scores reaching 9.1.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE-125 - Out-of-bounds Read

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-53864

Multiple vulnerabilities across Oracle WebLogic Server, Oracle GoldenGate, and Connect2id Nimbus JOSE + JWT allow unauthenticated attackers to exploit denial of service conditions, affecting various versions with CVSS scores of 5.8.

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-54571

Recent vulnerabilities in Oracle HTTP Server and ModSecurity allow for denial of service and potential XSS attacks, affecting specific versions with significant severity scores.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-252 - Unchecked Return Value

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-54874

Oracle Fusion Middleware has a critical vulnerability (CVSS 9.8) allowing unauthenticated access, while OpenJPEG versions 2.5.1 to 2.5.3 contain a flaw leading to out-of-bounds heap memory writes.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-457 - Use of Uninitialized Variable

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-54988

Apache Tika versions 1.13 to 3.2.1 have a critical XXE vulnerability, while Oracle PeopleSoft's OpenSearch component in versions 8.60 to 8.62 is also affected by an easily exploitable vulnerability.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-55163

Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the 'MadeYouReset' attack in HTTP/2, which can lead to denial of service and resource exhaustion.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-59375

Multiple vulnerabilities, including a memory amplification issue in libexpat and a DoS vulnerability in Oracle Communications Network Analytics, can lead to denial-of-service attacks without enabling arbitrary code execution.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-66516

Apache Tika has a critical XML External Entity (XXE) injection vulnerability affecting multiple modules, particularly in PDF parsing, allowing remote attackers to exploit crafted files for sensitive information disclosure or remote code execution.

10.0 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2026-21962

A critical vulnerability in Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in allows unauthenticated attackers to compromise systems, affecting specific versions with a CVSS score of 10.0.

10.0 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

References

29 references

URL	Category
https://www.oracle.com/security-alerts/cpujan2026.html	external
https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Oracle heeft kwetsbaarheden verholpen in verschillende producten, waaronder Oracle HTTP Server, Oracle WebLogic Server, en Oracle Fusion Middleware.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden in de Oracle producten stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot gevoelige gegevens, Denial-of-Service (DoS) aanvallen uit te voeren, en de integriteit van systemen te compromitteren. Specifieke kwetsbaarheden omvatten onjuist beheer van HTTP-headers, ongecontroleerde recursie, en onvoldoende bufferbeperkingen, wat kan leiden tot systeemcrashes en gegevensverlies.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
        "title": "CWE-79"
      },
      {
        "category": "general",
        "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
        "title": "CWE-94"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
        "title": "CWE-113"
      },
      {
        "category": "general",
        "text": "Improper Output Neutralization for Logs",
        "title": "CWE-117"
      },
      {
        "category": "general",
        "text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
        "title": "CWE-119"
      },
      {
        "category": "general",
        "text": "Heap-based Buffer Overflow",
        "title": "CWE-122"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Read",
        "title": "CWE-125"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Escape, Meta, or Control Sequences",
        "title": "CWE-150"
      },
      {
        "category": "general",
        "text": "Generation of Error Message Containing Sensitive Information",
        "title": "CWE-209"
      },
      {
        "category": "general",
        "text": "Unchecked Return Value",
        "title": "CWE-252"
      },
      {
        "category": "general",
        "text": "Improper Access Control",
        "title": "CWE-284"
      },
      {
        "category": "general",
        "text": "Improper Authorization",
        "title": "CWE-285"
      },
      {
        "category": "general",
        "text": "Authentication Bypass by Alternate Name",
        "title": "CWE-289"
      },
      {
        "category": "general",
        "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
        "title": "CWE-362"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "Use of Uninitialized Variable",
        "title": "CWE-457"
      },
      {
        "category": "general",
        "text": "NULL Pointer Dereference",
        "title": "CWE-476"
      },
      {
        "category": "general",
        "text": "Improper Restriction of XML External Entity Reference",
        "title": "CWE-611"
      },
      {
        "category": "general",
        "text": "Uncontrolled Recursion",
        "title": "CWE-674"
      },
      {
        "category": "general",
        "text": "Allocation of Resources Without Limits or Throttling",
        "title": "CWE-770"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Write",
        "title": "CWE-787"
      },
      {
        "category": "general",
        "text": "Improper Control of Document Type Definition",
        "title": "CWE-827"
      },
      {
        "category": "general",
        "text": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
        "title": "CWE-843"
      },
      {
        "category": "general",
        "text": "Incorrect Authorization",
        "title": "CWE-863"
      },
      {
        "category": "general",
        "text": "Server-Side Request Forgery (SSRF)",
        "title": "CWE-918"
      },
      {
        "category": "general",
        "text": "CWE-937",
        "title": "CWE-937"
      },
      {
        "category": "general",
        "text": "CWE-1035",
        "title": "CWE-1035"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Oracle Fusion Middleware",
    "tracking": {
      "current_release_date": "2026-01-21T10:08:59.379774Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2026-0027",
      "initial_release_date": "2026-01-21T10:08:59.379774Z",
      "revision_history": [
        {
          "date": "2026-01-21T10:08:59.379774Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Data Integrator"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Fusion Middleware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-3"
                }
              }
            ],
            "category": "product_name",
            "name": "Identity Manager Connector"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-4"
                }
              }
            ],
            "category": "product_name",
            "name": "Managed File Transfer"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-5"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Business Process Management Suite"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-6"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Coherence"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-7"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Global Lifecycle Management NextGen OUI Framework"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-8"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle HTTP Server"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-9"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-10"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Identity Manager"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-11"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Outside In Technology"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-12"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle SOA Suite"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-13"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Security Service"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-14"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Service Bus"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-15"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Unified Directory"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-16"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle WebCenter Enterprise Capture"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-17"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle WebLogic Server"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-18"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Weblogic Server Proxy Plug-in"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-19"
                }
              }
            ],
            "category": "product_name",
            "name": "Service Delivery Platform"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-20"
                }
              }
            ],
            "category": "product_name",
            "name": "WebCenter Sites"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-45105",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "other",
          "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "title": "CWE-94"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Apache Log4j, Oracle products, and various dependencies expose systems to denial-of-service and remote code execution risks, necessitating updates to secure versions.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2021-45105 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-2021-45105.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2021-45105"
    },
    {
      "cve": "CVE-2022-41342",
      "notes": [
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle products, including the Oracle HTTP Server and Database, allow for potential privilege escalation, remote code execution, and denial of service, with varying CVSS scores indicating significant risk.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-41342 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-2022-41342.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2022-41342"
    },
    {
      "cve": "CVE-2024-13009",
      "cwe": {
        "id": "CWE-404",
        "name": "Improper Resource Shutdown or Release"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle JD Edwards, Oracle Middleware, Eclipse Jetty, HPE Telco IP Mediation, and SAP Commerce Cloud expose systems to unauthorized access and data corruption, with CVSS scores reaching 7.2.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-13009 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-13009.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-13009"
    },
    {
      "cve": "CVE-2024-42516",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "other",
          "text": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
          "title": "CWE-113"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Apache HTTP Server and Oracle HTTP Server, including CVE-2023-38709 and CVE-2024-42516, expose systems to risks such as HTTP response splitting, SSRF, and unauthorized access.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-42516 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-42516.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-42516"
    },
    {
      "cve": "CVE-2024-43204",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Server-Side Request Forgery (SSRF)",
          "title": "CWE-918"
        },
        {
          "category": "description",
          "text": "Apache HTTP Server versions prior to 2.4.64 are vulnerable to multiple security issues, including SSRF and HTTP response splitting, affecting mod_proxy and mod_headers configurations, with critical vulnerabilities also identified in Oracle HTTP Server.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-43204 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-43204.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-43204"
    },
    {
      "cve": "CVE-2024-47252",
      "cwe": {
        "id": "CWE-150",
        "name": "Improper Neutralization of Escape, Meta, or Control Sequences"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Escape, Meta, or Control Sequences",
          "title": "CWE-150"
        },
        {
          "category": "other",
          "text": "Improper Output Neutralization for Logs",
          "title": "CWE-117"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Apache HTTP Server versions 2.4.63 and earlier, including insufficient escaping in mod_ssl, allow untrusted clients to compromise log integrity and potentially lead to unauthorized access and denial of service.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-47252 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-47252.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-47252"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO allow for denial of service attacks, with CVSS scores ranging from 4.3 to 7.5, affecting various versions of these products.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-47554 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-47554.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-47554"
    },
    {
      "cve": "CVE-2024-56406",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Write",
          "title": "CWE-787"
        },
        {
          "category": "other",
          "text": "Heap-based Buffer Overflow",
          "title": "CWE-122"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Oracle Fusion Middleware and Perl, including heap buffer overflows and denial of service risks, affect various versions, with CVSS scores indicating significant severity.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-56406 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-56406.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-56406"
    },
    {
      "cve": "CVE-2025-4949",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "other",
          "text": "Improper Control of Document Type Definition",
          "title": "CWE-827"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Database Server, Oracle Fusion Middleware, and Eclipse JGit expose systems to unauthorized access, severe impacts, and information disclosure through various attack vectors.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-4949 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-4949.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-4949"
    },
    {
      "cve": "CVE-2025-5115",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2 and unauthenticated issues in Oracle products, can lead to denial of service across various platforms such as Eclipse Jetty and SAP Commerce Cloud.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-5115 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5115.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-5115"
    },
    {
      "cve": "CVE-2025-12383",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
          "title": "CWE-362"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-12383 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-12383.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-12383"
    },
    {
      "cve": "CVE-2025-23048",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Apache HTTP Server versions 2.4.35 to 2.4.63 and Oracle HTTP Server allow unauthorized access, data modification, and denial of service, particularly through TLS session resumption and other exploit vectors.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-23048 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-23048.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-23048"
    },
    {
      "cve": "CVE-2025-26333",
      "cwe": {
        "id": "CWE-209",
        "name": "Generation of Error Message Containing Sensitive Information"
      },
      "notes": [
        {
          "category": "other",
          "text": "Generation of Error Message Containing Sensitive Information",
          "title": "CWE-209"
        },
        {
          "category": "description",
          "text": "Oracle Database Server and Oracle GoldenGate have Security-in-Depth issues related to Dell BSAFE Crypto-J, which cannot be exploited within their respective contexts, although error messages may expose sensitive information.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-26333 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-26333.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-26333"
    },
    {
      "cve": "CVE-2025-31672",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified across various Oracle and Apache POI products, including improper input validation and unauthorized data access, affecting versions 5.4.0 and earlier, with CVSS scores of 5.3.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-31672 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-31672.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-31672"
    },
    {
      "cve": "CVE-2025-41248",
      "cwe": {
        "id": "CWE-289",
        "name": "Authentication Bypass by Alternate Name"
      },
      "notes": [
        {
          "category": "other",
          "text": "Authentication Bypass by Alternate Name",
          "title": "CWE-289"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Financial Services Model Management and Spring Framework versions expose critical data and may lead to authorization bypass, with significant confidentiality impacts.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-41248 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41248.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-41248"
    },
    {
      "cve": "CVE-2025-41249",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Authorization",
          "title": "CWE-285"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-41249 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41249.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-41249"
    },
    {
      "cve": "CVE-2025-43967",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "notes": [
        {
          "category": "other",
          "text": "NULL Pointer Dereference",
          "title": "CWE-476"
        },
        {
          "category": "description",
          "text": "Oracle Hyperion Financial Reporting (version 11.2.23) has a denial of service vulnerability (CVSS 7.5), while libheif library versions prior to 1.19.6 have a NULL pointer dereference issue in the ImageItem_Grid::get_decoder function.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-43967 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-43967.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-43967"
    },
    {
      "cve": "CVE-2025-48924",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48924 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48924.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-48924"
    },
    {
      "cve": "CVE-2025-48976",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48976 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-48976"
    },
    {
      "cve": "CVE-2025-49796",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Banking Branch and Oracle Communications Cloud Native Core Certificate Management products, as well as libxml2, could lead to critical data compromise and denial of service, with CVSS scores reaching 9.1.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49796 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49796.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-49796"
    },
    {
      "cve": "CVE-2025-53864",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle WebLogic Server, Oracle GoldenGate, and Connect2id Nimbus JOSE + JWT allow unauthenticated attackers to exploit denial of service conditions, affecting various versions with CVSS scores of 5.8.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53864 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53864.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-53864"
    },
    {
      "cve": "CVE-2025-54571",
      "cwe": {
        "id": "CWE-252",
        "name": "Unchecked Return Value"
      },
      "notes": [
        {
          "category": "other",
          "text": "Unchecked Return Value",
          "title": "CWE-252"
        },
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle HTTP Server and ModSecurity allow for denial of service and potential XSS attacks, affecting specific versions with significant severity scores.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-54571 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54571.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-54571"
    },
    {
      "cve": "CVE-2025-54874",
      "cwe": {
        "id": "CWE-457",
        "name": "Use of Uninitialized Variable"
      },
      "notes": [
        {
          "category": "other",
          "text": "Use of Uninitialized Variable",
          "title": "CWE-457"
        },
        {
          "category": "description",
          "text": "Oracle Fusion Middleware has a critical vulnerability (CVSS 9.8) allowing unauthenticated access, while OpenJPEG versions 2.5.1 to 2.5.3 contain a flaw leading to out-of-bounds heap memory writes.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-54874 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54874.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-54874"
    },
    {
      "cve": "CVE-2025-54988",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Apache Tika versions 1.13 to 3.2.1 have a critical XXE vulnerability, while Oracle PeopleSoft\u0027s OpenSearch component in versions 8.60 to 8.62 is also affected by an easily exploitable vulnerability.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-54988 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54988.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-54988"
    },
    {
      "cve": "CVE-2025-55163",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2, which can lead to denial of service and resource exhaustion.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-55163 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-55163"
    },
    {
      "cve": "CVE-2025-59375",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities, including a memory amplification issue in libexpat and a DoS vulnerability in Oracle Communications Network Analytics, can lead to denial-of-service attacks without enabling arbitrary code execution.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-59375 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-59375.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-59375"
    },
    {
      "cve": "CVE-2025-66516",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Apache Tika has a critical XML External Entity (XXE) injection vulnerability affecting multiple modules, particularly in PDF parsing, allowing remote attackers to exploit crafted files for sensitive information disclosure or remote code execution.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-66516 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-66516.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-66516"
    },
    {
      "cve": "CVE-2026-21962",
      "notes": [
        {
          "category": "description",
          "text": "A critical vulnerability in Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in allows unauthenticated attackers to compromise systems, affecting specific versions with a CVSS score of 10.0.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-21962 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21962.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2026-21962"
    }
  ]
}

RHSA-2025:18028

Vulnerability from csaf_redhat - Published: 2025-10-14 17:59 - Updated: 2026-05-06 14:50

Summary

Red Hat Security Advisory: Red Hat Build of Apache Camel 4.10.7 for Spring Boot release.

Severity

Important

Notes

Topic: Red Hat build of Apache Camel 4.10.7 for Spring Boot patch release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat build of Apache Camel 4.10.7 for Spring Boot patch release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Security Fix(es): * spring-security-core: Spring Security authorization bypass (CVE-2025-41248) * spring-core: Spring Framework Annotation Detection Vulnerability (CVE-2025-41249) * spring-core-test: Spring Framework Annotation Detection Vulnerability (CVE-2025-41249) * org.springframework/spring-core: Spring Framework Annotation Detection Vulnerability (CVE-2025-41249) * org.eclipse.jgit: XXE vulnerability in Eclipse JGit (CVE-2025-4949) * netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions (CVE-2025-58056) * netty-codec-http2: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions (CVE-2025-58056) * minio: minio-java Client XML Tag is Vulnerable to Value Substitution (CVE-2025-59952) * io.minio/minio: minio-java Client XML Tag is Vulnerable to Value Substitution (CVE-2025-59952)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-4949

A flaw was found in Eclipse JGit. This vulnerability can allow information disclosure, denial of service, and other security issues when parsing XML files.

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10 Red Hat / Red Hat Build of Apache Camel	`cpe:/a:redhat:apache_camel_spring_boot:4.10`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2025-41248

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-289 - Authentication Bypass by Alternate Name

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10 Red Hat / Red Hat Build of Apache Camel	`cpe:/a:redhat:apache_camel_spring_boot:4.10`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-41249

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-863 - Incorrect Authorization

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10 Red Hat / Red Hat Build of Apache Camel	`cpe:/a:redhat:apache_camel_spring_boot:4.10`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-58056

A flaw in Netty’s HTTP/1.1 chunked encoding parser allows newline (LF) characters in chunk extensions to be incorrectly treated as the end of the chunk-size line instead of requiring the proper CRLF sequence. This discrepancy can be exploited in rare cases where a reverse proxy interprets the same input differently, potentially enabling HTTP request smuggling attacks such as bypassing access controls or corrupting responses.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10 Red Hat / Red Hat Build of Apache Camel	`cpe:/a:redhat:apache_camel_spring_boot:4.10`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2025-59952

In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were automatically substituted with their actual values during processing. This unintended behavior could lead to the exposure of sensitive information, including credentials, file paths, or system configuration details, if such references were present in XML content from untrusted sources. Attackers could craft malicious XML inputs to extract sensitive data from the system's properties or environment variables, potentially compromising security in applications relying on minio-java for object storage operations.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10 Red Hat / Red Hat Build of Apache Camel	`cpe:/a:redhat:apache_camel_spring_boot:4.10`	—	Vendor Fix fix Workaround

Threats

Impact Important

References

44 references

URL	Category
https://access.redhat.com/errata/RHSA-2025:18028	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2367730	external
https://bugzilla.redhat.com/show_bug.cgi?id=2392996	external
https://bugzilla.redhat.com/show_bug.cgi?id=2395723	external
https://bugzilla.redhat.com/show_bug.cgi?id=2395725	external
https://bugzilla.redhat.com/show_bug.cgi?id=2400380	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2025-4949	self
https://bugzilla.redhat.com/show_bug.cgi?id=2367730	external
https://www.cve.org/CVERecord?id=CVE-2025-4949	external
https://nvd.nist.gov/vuln/detail/CVE-2025-4949	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://gitlab.eclipse.org/security/vulnerability…	external
https://projects.eclipse.org/projects/technology.…	external
https://access.redhat.com/security/cve/CVE-2025-41248	self
https://bugzilla.redhat.com/show_bug.cgi?id=2395723	external
https://www.cve.org/CVERecord?id=CVE-2025-41248	external
https://nvd.nist.gov/vuln/detail/CVE-2025-41248	external
https://github.com/spring-projects/spring-securit…	external
https://spring.io/security/cve-2025-41248	external
https://access.redhat.com/security/cve/CVE-2025-41249	self
https://bugzilla.redhat.com/show_bug.cgi?id=2395725	external
https://www.cve.org/CVERecord?id=CVE-2025-41249	external
https://nvd.nist.gov/vuln/detail/CVE-2025-41249	external
https://github.com/spring-projects/spring-framewo…	external
https://spring.io/security/cve-2025-41249	external
https://access.redhat.com/security/cve/CVE-2025-58056	self
https://bugzilla.redhat.com/show_bug.cgi?id=2392996	external
https://www.cve.org/CVERecord?id=CVE-2025-58056	external
https://nvd.nist.gov/vuln/detail/CVE-2025-58056	external
https://datatracker.ietf.org/doc/html/rfc9112#nam…	external
https://github.com/JLLeitschuh/unCVEed/issues/1	external
https://github.com/netty/netty/commit/edb55fd8e0a…	external
https://github.com/netty/netty/issues/15522	external
https://github.com/netty/netty/pull/15611	external
https://github.com/netty/netty/security/advisorie…	external
https://w4ke.info/2025/06/18/funky-chunks.html	external
https://access.redhat.com/security/cve/CVE-2025-59952	self
https://bugzilla.redhat.com/show_bug.cgi?id=2400380	external
https://www.cve.org/CVERecord?id=CVE-2025-59952	external
https://nvd.nist.gov/vuln/detail/CVE-2025-59952	external
https://github.com/minio/minio-java/releases/tag/8.6.0	external
https://github.com/minio/minio-java/security/advi…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat build of Apache Camel 4.10.7 for Spring Boot patch release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives\na detailed severity rating, is available for each vulnerability from the CVE\nlink(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat build of Apache Camel 4.10.7 for Spring Boot patch release and security update is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues\nfixed.\n\nSecurity Fix(es):\n   \n* spring-security-core: Spring Security authorization bypass (CVE-2025-41248)\n\n* spring-core: Spring Framework Annotation Detection Vulnerability (CVE-2025-41249)\n\n* spring-core-test: Spring Framework Annotation Detection Vulnerability (CVE-2025-41249)\n\n* org.springframework/spring-core: Spring Framework Annotation Detection Vulnerability (CVE-2025-41249)\n\n* org.eclipse.jgit: XXE vulnerability in Eclipse JGit (CVE-2025-4949)\n\n* netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions (CVE-2025-58056)\n\n* netty-codec-http2: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions (CVE-2025-58056)\n\n* minio: minio-java Client XML Tag is Vulnerable to Value Substitution (CVE-2025-59952)\n\n* io.minio/minio: minio-java Client XML Tag is Vulnerable to Value Substitution (CVE-2025-59952)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:18028",
        "url": "https://access.redhat.com/errata/RHSA-2025:18028"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2367730",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367730"
      },
      {
        "category": "external",
        "summary": "2392996",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392996"
      },
      {
        "category": "external",
        "summary": "2395723",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395723"
      },
      {
        "category": "external",
        "summary": "2395725",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395725"
      },
      {
        "category": "external",
        "summary": "2400380",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2400380"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_18028.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.10.7 for Spring Boot release.",
    "tracking": {
      "current_release_date": "2026-05-06T14:50:18+00:00",
      "generator": {
        "date": "2026-05-06T14:50:18+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.9"
        }
      },
      "id": "RHSA-2025:18028",
      "initial_release_date": "2025-10-14T17:59:03+00:00",
      "revision_history": [
        {
          "date": "2025-10-14T17:59:03+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-10-14T17:59:03+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-06T14:50:18+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10",
                "product": {
                  "name": "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10",
                  "product_id": "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.10"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Build of Apache Camel"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-4949",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2025-05-21T07:00:48.762597+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2367730"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Eclipse JGit. This vulnerability can allow information disclosure, denial of service, and other security issues when parsing XML files.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jgit: XXE vulnerability in Eclipse JGit",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated Moderate for Red Hat products. A flaw in Eclipse JGit allows for XML External Entity (XXE) attacks when parsing specially crafted XML files. This can lead to local denial of service in affected Red Hat products that utilize JGit\u0027s ManifestParser or AmazonS3 class for git transport. The current 9.8 rating by NVD assumes a default, server-side exploitation path. However, the vulnerability resides in the experimental AmazonS3 transport class within Eclipse JGit, which is not enabled by default and requires non-standard configuration (Attack Complexity: High). Furthermore, exploitation typically occurs via client-side tools (e.g., repo) requiring active user participation (User Interaction: Required), limiting the primary risk to local Denial of Service rather than remote, unauthenticated compromise (Availability: High).",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-4949"
        },
        {
          "category": "external",
          "summary": "RHBZ#2367730",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367730"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-4949",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-4949"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-4949",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4949"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/64",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/64"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281",
          "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281"
        },
        {
          "category": "external",
          "summary": "https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1",
          "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1"
        }
      ],
      "release_date": "2025-05-21T06:47:19.777000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-10-14T17:59:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:18028"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.eclipse.jgit: XXE vulnerability in Eclipse JGit"
    },
    {
      "cve": "CVE-2025-41248",
      "cwe": {
        "id": "CWE-289",
        "name": "Authentication Bypass by Alternate Name"
      },
      "discovery_date": "2025-09-16T11:00:42.699993+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2395723"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.springframework.security/spring-security-core: Spring Security authorization bypass",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-41248"
        },
        {
          "category": "external",
          "summary": "RHBZ#2395723",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395723"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-41248",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-41248"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-41248",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41248"
        },
        {
          "category": "external",
          "summary": "https://github.com/spring-projects/spring-security/issues/17898",
          "url": "https://github.com/spring-projects/spring-security/issues/17898"
        },
        {
          "category": "external",
          "summary": "https://spring.io/security/cve-2025-41248",
          "url": "https://spring.io/security/cve-2025-41248"
        }
      ],
      "release_date": "2025-09-16T10:10:59.953000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-10-14T17:59:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:18028"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.springframework.security/spring-security-core: Spring Security authorization bypass"
    },
    {
      "cve": "CVE-2025-41249",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "discovery_date": "2025-09-16T11:00:49.967990+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2395725"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.springframework/spring-core: Spring Framework Annotation Detection Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-41249"
        },
        {
          "category": "external",
          "summary": "RHBZ#2395725",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395725"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-41249",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-41249"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-41249",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41249"
        },
        {
          "category": "external",
          "summary": "https://github.com/spring-projects/spring-framework/issues/35342",
          "url": "https://github.com/spring-projects/spring-framework/issues/35342"
        },
        {
          "category": "external",
          "summary": "https://spring.io/security/cve-2025-41249",
          "url": "https://spring.io/security/cve-2025-41249"
        }
      ],
      "release_date": "2025-09-16T10:15:34.118000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-10-14T17:59:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:18028"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.springframework/spring-core: Spring Framework Annotation Detection Vulnerability"
    },
    {
      "cve": "CVE-2025-58056",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2025-09-03T21:01:22.935850+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2392996"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw in Netty\u2019s HTTP/1.1 chunked encoding parser allows newline (LF) characters in chunk extensions to be incorrectly treated as the end of the chunk-size line instead of requiring the proper CRLF sequence. This discrepancy can be exploited in rare cases where a reverse proxy interprets the same input differently, potentially enabling HTTP request smuggling attacks such as bypassing access controls or corrupting responses.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue is considered Moderate rather than Important because successful exploitation depends on a very specific deployment condition: the presence of an intermediary reverse proxy that both mishandles lone LF characters in chunk extensions and forwards them unmodified to Netty. By itself, Netty\u2019s parsing quirk does not introduce risk, and in most real-world environments, reverse proxies normalize or reject malformed chunked requests, preventing smuggling. As a result, the vulnerability has limited reach, requires a niche configuration to be exploitable, and does not universally expose Netty-based servers to request smuggling\u2014hence it is rated moderate in severity rather than important or critical.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-58056"
        },
        {
          "category": "external",
          "summary": "RHBZ#2392996",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392996"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-58056",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-58056"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58056",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58056"
        },
        {
          "category": "external",
          "summary": "https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding",
          "url": "https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding"
        },
        {
          "category": "external",
          "summary": "https://github.com/JLLeitschuh/unCVEed/issues/1",
          "url": "https://github.com/JLLeitschuh/unCVEed/issues/1"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284",
          "url": "https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/issues/15522",
          "url": "https://github.com/netty/netty/issues/15522"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/pull/15611",
          "url": "https://github.com/netty/netty/pull/15611"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49"
        },
        {
          "category": "external",
          "summary": "https://w4ke.info/2025/06/18/funky-chunks.html",
          "url": "https://w4ke.info/2025/06/18/funky-chunks.html"
        }
      ],
      "release_date": "2025-09-03T20:56:50.732000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-10-14T17:59:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:18028"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, enforce strict RFC compliance on all front-end proxies and load balancers so that lone LF characters in chunk extensions are rejected or normalized before being forwarded. Additionally, configure input validation at the application or proxy layer to block malformed chunked requests, ensuring consistent parsing across all components in the request path.",
          "product_ids": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions"
    },
    {
      "cve": "CVE-2025-59952",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2025-09-30T00:01:08.819825+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2400380"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were automatically substituted with their actual values during processing. This unintended behavior could lead to the exposure of sensitive information, including credentials, file paths, or system configuration details, if such references were present in XML content from untrusted sources. Attackers could craft malicious XML inputs to extract sensitive data from the system\u0027s properties or environment variables, potentially compromising security in applications relying on minio-java for object storage operations.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "io.minio/minio: minio-java Client XML Tag is Vulnerable to Value Substitution",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-59952"
        },
        {
          "category": "external",
          "summary": "RHBZ#2400380",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2400380"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-59952",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-59952"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-59952",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59952"
        },
        {
          "category": "external",
          "summary": "https://github.com/minio/minio-java/releases/tag/8.6.0",
          "url": "https://github.com/minio/minio-java/releases/tag/8.6.0"
        },
        {
          "category": "external",
          "summary": "https://github.com/minio/minio-java/security/advisories/GHSA-h7rh-xfpj-hpcm",
          "url": "https://github.com/minio/minio-java/security/advisories/GHSA-h7rh-xfpj-hpcm"
        }
      ],
      "release_date": "2025-09-29T23:32:33.994000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-10-14T17:59:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:18028"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "io.minio/minio: minio-java Client XML Tag is Vulnerable to Value Substitution"
    }
  ]
}

CVE-2025-41248 (GCVE-0-2025-41248)

Tags

Sightings

Nomenclature

Action not permitted

CVE-2025-41248 (GCVE-0-2025-41248)

Solutions

Solutions

Solutions

Tags

Sightings

Nomenclature