{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21969", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-01-05T18:07:34.714Z", "datePublished": "2026-01-20T21:56:34.844Z", "dateUpdated": "2026-02-26T14:44:38.630Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-01-20T21:56:34.844Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Agile Product Lifecycle Management for Process", "versions": [{"version": "6.2.4", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.4:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21969", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-22T04:55:27.595038Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:38.630Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21969", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-22T04:55:27.595038Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T19:14:13.284Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Agile Product Lifecycle Management for Process", "versions": [{"status": "affected", "version": "6.2.4", "versionType": "semver"}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process."}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.4:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-01-20T21:56:34.844Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21969", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:38.630Z", "dateReserved": "2026-01-05T18:07:34.714Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2026-01-20T21:56:34.844Z", "assignerShortName": "oracle"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "4F85AABE-B854-4887-A641-2102D355F9E3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)."}], "id": "CVE-2026-21969", "lastModified": "2026-01-29T14:48:11.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-01-20T22:15:59.970", "references": [{"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:36:42.639157+00:00", "value": {"mitigation_remediation": ["Apply the latest Oracle security patch for Agile Product Lifecycle Management for Process", "Restrict network access to the Supplier Portal to authenticated users only via firewall rules", "Monitor application logs for anomalous HTTP requests and potential compromise attempts"], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Oracle Corporation\u2019s Agile Product Lifecycle Management for Process version 6.2.4 is affected. Users of the Supplier Portal component of this product are at risk.", "description_and_impact": "A flaw exists in the Supplier Portal component of Oracle Agile Product Lifecycle Management for Process that allows an unauthenticated attacker to exploit the system via a standard HTTP request. Once exploited, the vulnerability can compromise the confidentiality, integrity, and availability of the entire application, potentially leading to full takeover. The weakness involves improper authorization controls permitting unauthenticated access and potentially allowing an attacker to take over the application.", "risk_and_exploitability": "The base CVSS score is 9.8, indicating critical severity. Although the EPSS score is reported as less than 1\u202f%, reflecting a low but non\u2011zero probability of exploitation, the lack of a KEV listing does not diminish the need for immediate action. Based on the description, it is inferred that the likely attack vector is network access over HTTP to the vulnerable endpoint, which is exploitable without authentication or advanced privileges."}}}}, "created": "2026-04-18T15:45:04.271901+00:00", "title": "Remote Code Execution via Unauthenticated HTTP in Oracle Agile Product Lifecycle Management", "updated": "2026-04-18T15:45:04.271911+00:00", "vendors": [], "weaknesses": ["CWE-284", "CWE-287"]}