ByteOS

Product

Oracle Java SE

Versions

Affected

8u481
8u481-b50
8u481-perf
11.0.30
17.0.18
21.0.10
25.0.2
26

Vendor

Product

Oracle GraalVM for JDK

Versions

Affected

17.0.18
21.0.10

Vendor

Oracle GraalVM Enterprise Edition

Product

Versions

Affected

21.3.17

Problem Types

Type	CWE ID	Description
N/A	N/A	Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.

Type: N/A

CWE ID: N/A

Description: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.

Metrics

Version	Base score	Base severity	Vector
3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Version: 3.1

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

Hyperlink	Resource
https://www.oracle.com/security-alerts/cpuapr2026.html	vendor-advisory

Hyperlink: https://www.oracle.com/security-alerts/cpuapr2026.html

Resource:

vendor-advisory

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Problem Types

Type	CWE ID	Description
CWE	CWE-693	CWE-693 Protection Mechanism Failure

Type: CWE

CWE ID: CWE-693

Description: CWE-693 Protection Mechanism Failure

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:secalert_us@oracle.com

Published At:21 Apr, 2026 | 21:16

Updated At:27 Apr, 2026 | 12:15

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CPE Matches

cpe:2.3:a:oracle:jdk:1.8.0:update481:*:*:-:*:*:*

>>jdk>>1.8.0

cpe:2.3:a:oracle:jdk:1.8.0:update481:*:*:enterprise_performance_pack:*:*:*

>>jdk>>1.8.0

cpe:2.3:a:oracle:jdk:1.8.0:update481_b50:*:*:-:*:*:*

>>jdk>>1.8.0

cpe:2.3:a:oracle:jdk:11.0.30:*:*:*:*:*:*:*

>>jdk>>11.0.30

cpe:2.3:a:oracle:jdk:17.0.18:*:*:*:*:*:*:*

>>jdk>>17.0.18

cpe:2.3:a:oracle:jdk:21.0.10:*:*:*:*:*:*:*

>>jdk>>21.0.10

cpe:2.3:a:oracle:jdk:25.0.2:*:*:*:*:*:*:*

>>jdk>>25.0.2

cpe:2.3:a:oracle:jdk:26:*:*:*:*:*:*:*

>>jdk>>26

cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*

>>graalvm>>21.3.17

cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*

>>graalvm_for_jdk>>17.0.18

cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*

>>graalvm_for_jdk>>21.0.10

cpe:2.3:a:oracle:jre:1.8.0:update481:*:*:-:*:*:*

>>jre>>1.8.0

cpe:2.3:a:oracle:jre:1.8.0:update481:*:*:enterprise_performance_pack:*:*:*

>>jre>>1.8.0

cpe:2.3:a:oracle:jre:1.8.0:update481_b50:*:*:-:*:*:*

>>jre>>1.8.0

cpe:2.3:a:oracle:jre:11.0.30:*:*:*:*:*:*:*

>>jre>>11.0.30

cpe:2.3:a:oracle:jre:17.0.18:*:*:*:*:*:*:*

>>jre>>17.0.18

cpe:2.3:a:oracle:jre:21.0.10:*:*:*:*:*:*:*

>>jre>>21.0.10

cpe:2.3:a:oracle:jre:25.0.2:*:*:*:*:*:*:*

>>jre>>25.0.2

cpe:2.3:a:oracle:jre:26:*:*:*:*:*:*:*

>>jre>>26

Weaknesses

CWE ID	Type	Source
CWE-693	Secondary	134c704f-9b21-4f2e-91b3-4a467353bcc0

CWE ID: CWE-693

Type: Secondary

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

References

Hyperlink	Source	Resource
https://www.oracle.com/security-alerts/cpuapr2026.html	secalert_us@oracle.com	Vendor Advisory

Hyperlink: https://www.oracle.com/security-alerts/cpuapr2026.html

Source: secalert_us@oracle.com

Resource:

Vendor Advisory

Similar CVEs

12Records found

CVE-2026-21999

Matching Score-8

Assigner-Oracle

Matching Score-8

Assigner-Oracle

CVSS Score-5.3||MEDIUM

EPSS-0.03% / 9.63%

7 Day CHG~0.00%

Published-21 Apr, 2026 | 20:34

Updated-22 Apr, 2026 | 21:24

Vulnerability in the XML Database component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise XML Database. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all XML Database accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

Product-Oracle Database Server

CWE ID-CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CVE-2023-21942

Matching Score-8

Assigner-Oracle

Matching Score-8

Assigner-Oracle

CVSS Score-5.3||MEDIUM

EPSS-0.50% / 65.89%

7 Day CHG~0.00%

Published-18 Apr, 2023 | 19:54

Updated-16 Sep, 2024 | 15:17

Vulnerability in Oracle Essbase (component: Security and Provisioning). The supported version that is affected is 21.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Essbase. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Essbase accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

Product-essbase Hyperion Essbase

CVE-2023-21943

Matching Score-8

Assigner-Oracle

Matching Score-8

Assigner-Oracle

CVSS Score-5.3||MEDIUM

EPSS-0.50% / 65.89%

7 Day CHG~0.00%

Published-18 Apr, 2023 | 19:54

Updated-16 Sep, 2024 | 15:16

Product-essbase Hyperion Essbase

CVE-2023-21944

Matching Score-8

Assigner-Oracle

Matching Score-8

Assigner-Oracle

CVSS Score-5.3||MEDIUM

EPSS-0.50% / 65.89%

7 Day CHG~0.00%

Published-18 Apr, 2023 | 19:54

Updated-16 Sep, 2024 | 15:16

Product-essbase Hyperion Essbase

CVE-2021-22923

Matching Score-8

Assigner-HackerOne

Matching Score-8

Assigner-HackerOne

CVSS Score-5.3||MEDIUM

EPSS-0.07% / 20.52%

7 Day CHG-0.02%

Published-05 Aug, 2021 | 00:00

Updated-19 Nov, 2024 | 14:25

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.

Vendor-n/a NetApp, Inc.Oracle Corporation Siemens AG Splunk LLC (Cisco Systems, Inc.)CURL Fedora Project

CWE ID-CWE-319

Cleartext Transmission of Sensitive Information

CWE ID-CWE-522

Insufficiently Protected Credentials

CVE-2020-10775

Matching Score-8

Assigner-Red Hat, Inc.

Matching Score-8

Assigner-Red Hat, Inc.

CVSS Score-5.3||MEDIUM

EPSS-0.41% / 61.31%

7 Day CHG~0.00%

Published-24 Aug, 2020 | 16:13

Updated-04 Aug, 2024 | 11:14

An Open redirect vulnerability was found in ovirt-engine versions 4.4 and earlier, where it allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser, the critical part of the URL is no longer visible. The highest threat from this vulnerability is on confidentiality.

Vendor-n/a Oracle Corporation Red Hat, Inc.

Product-ovirt-engine virtualization ovirt-engine

CWE ID-CWE-451

User Interface (UI) Misrepresentation of Critical Information

CWE ID-CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

CVE-2025-33142

Matching Score-8

Assigner-IBM Corporation

Vendor-Oracle Corporation IBM Corporation HP Inc.Microsoft Corporation Linux Kernel Organization, Inc

Matching Score-8

Assigner-IBM Corporation

CVSS Score-5.3||MEDIUM

EPSS-0.04% / 12.44%

7 Day CHG+0.01%

Published-14 Aug, 2025 | 15:41

Updated-18 Aug, 2025 | 18:05

IBM WebSphere Application Server information disclosure

IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security for TLS connections.

Product-linux_kernel windows z\/os i solaris hp-ux websphere_application_server aix WebSphere Application Server

CWE ID-CWE-295

Improper Certificate Validation

CVE-2013-0431

Matching Score-6

Assigner-Oracle

Matching Score-6

Assigner-Oracle

CVSS Score-5.3||MEDIUM

EPSS-91.00% / 99.64%

7 Day CHG-0.59%

Published-31 Jan, 2013 | 14:10

Updated-21 Apr, 2026 | 19:02

Known KEV||Action Due Date - 2022-06-15||Apply updates per vendor instructions.

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.

Vendor-n/a Oracle Corporation

Product-openjdk jre n/a Java Runtime Environment (JRE)

CWE ID-CWE-693

Protection Mechanism Failure

CVE-2024-20926

Matching Score-6

Assigner-Oracle

Product-cloud_insights_acquisition_unit jdk jre graalvm debian_linux graalvm_for_jdk oncommand_insight cloud_insights_storage_workload_security_agent Java SE JDK and JRE

Matching Score-6

Assigner-Oracle

CVSS Score-5.9||MEDIUM

EPSS-0.19% / 41.02%

7 Day CHG~0.00%

Published-16 Jan, 2024 | 21:41

Updated-03 Nov, 2025 | 22:16

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vendor-Oracle Corporation Debian GNU/Linux NetApp, Inc.

CWE ID-CWE-284

Improper Access Control

CWE ID-CWE-502

Deserialization of Untrusted Data

CWE ID-CWE-693

Protection Mechanism Failure

CVE-2024-20923

Matching Score-6

Assigner-Oracle

Matching Score-6

Assigner-Oracle

CVSS Score-3.1||LOW

EPSS-0.27% / 50.31%

7 Day CHG-0.08%

Published-17 Feb, 2024 | 01:50

Updated-04 Nov, 2025 | 19:16

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

Product-jdk graalvm jre Java SE JDK and JRE

CWE ID-CWE-693

Protection Mechanism Failure

CVE-2013-2465

Matching Score-6

Assigner-Oracle

Matching Score-6

Assigner-Oracle

CVSS Score-9.8||CRITICAL

EPSS-93.22% / 99.80%

7 Day CHG~0.00%

Published-18 Jun, 2013 | 22:00

Updated-22 Apr, 2026 | 13:08

Known KEV||Action Due Date - 2022-04-18||Apply updates per vendor instructions.

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image channel verification" in 2D.

Vendor-n/a Sun Microsystems (Oracle Corporation)Oracle Corporation SUSE

Product-linux_enterprise_desktop jre linux_enterprise_server linux_enterprise_java linux_enterprise_software_development_kit n/a Java SE

CWE ID-CWE-693

Protection Mechanism Failure

CVE-2021-31386

Matching Score-4

Assigner-Juniper Networks, Inc.