Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Published:
2026-04-21
Score:
7.5 High
EPSS:
< 1% Very Low
KEV:
No
Impact:
Unauthorized access to confidential data
Action:
Apply patch
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Oracle Corporation | Oracle Java SE | affected |
|
|||||||||||||||||||||||||||
| Oracle Corporation | Oracle GraalVM for JDK | affected |
|
|||||||||||||||||||||||||||
| Oracle Corporation | Oracle GraalVM Enterprise Edition | affected |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
Configuration 3 [-]
|
No data.
| Vendor | Product | Confidence | Versions | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Oracle | Graalvm | 95% |
|
||||||||||||||||||||||||||||||||||||
| Oracle | Graalvm Enterprise Edition | 100% |
|
||||||||||||||||||||||||||||||||||||
| Oracle | Graalvm For Jdk | 95% |
|
||||||||||||||||||||||||||||||||||||
| Oracle | Java Se | 100% |
|
Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 Debian DLA |
DLA-4565-1 | openjdk-17 security update |
| Debian DLA |
DLA-4566-1 | openjdk-11 security update |
 Debian DSA |
DSA-6231-1 | openjdk-21 security update |
| Debian DSA |
DSA-6237-1 | openjdk-17 |
| Debian DSA |
DSA-6246-1 | openjdk-25 security update |
References
History
Mon, 27 Apr 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-20 CWE-676 |
Mon, 27 Apr 2026 12:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Oracle jdk
Oracle jre |
|
| CPEs | cpe:2.3:a:oracle:jdk:1.8.0:update481:*:*:-:*:*:* cpe:2.3:a:oracle:jdk:1.8.0:update481:*:*:enterprise_performance_pack:*:*:* cpe:2.3:a:oracle:jdk:1.8.0:update481_b50:*:*:-:*:*:* cpe:2.3:a:oracle:jdk:11.0.30:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdk:17.0.18:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdk:21.0.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdk:25.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdk:26:*:*:*:*:*:*:* cpe:2.3:a:oracle:jre:1.8.0:update481:*:*:-:*:*:* cpe:2.3:a:oracle:jre:1.8.0:update481:*:*:enterprise_performance_pack:*:*:* cpe:2.3:a:oracle:jre:1.8.0:update481_b50:*:*:-:*:*:* cpe:2.3:a:oracle:jre:11.0.30:*:*:*:*:*:*:* cpe:2.3:a:oracle:jre:17.0.18:*:*:*:*:*:*:* cpe:2.3:a:oracle:jre:21.0.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:jre:25.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jre:26:*:*:*:*:*:*:* |
|
| Vendors & Products |
Oracle jdk
Oracle jre |
Wed, 22 Apr 2026 15:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 22 Apr 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-200 CWE-502 |
Wed, 22 Apr 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unauthorized Information Disclosure via JAXP in Oracle Java SE and GraalVM | openjdk: OpenJDK: Enhance Path Factories Redux (Oracle CPU 2026-04) |
| First Time appeared |
Oracle graalvm Enterprise Edition
|
|
| Weaknesses | CWE-611 | |
| Vendors & Products |
Oracle graalvm Enterprise Edition
|
|
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Wed, 22 Apr 2026 03:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unauthorized Information Disclosure via JAXP in Oracle Java SE and GraalVM | |
| Weaknesses | CWE-20 CWE-676 |
Wed, 22 Apr 2026 00:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |
| First Time appeared |
Oracle
Oracle graalvm Oracle graalvm For Jdk Oracle java Se |
|
| CPEs | cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:* cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:* cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:* cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:* cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:* cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:* cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:* |
|
| Vendors & Products |
Oracle
Oracle graalvm Oracle graalvm For Jdk Oracle java Se |
|
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: oracle
Published:
Updated: 2026-04-22T14:12:01.017Z
Reserved: 2026-01-05T18:07:34.728Z
Link: CVE-2026-22016
Vulnrichment
Updated: 2026-04-22T14:11:56.711Z
NVD
Status : Analyzed
Published: 2026-04-21T21:16:28.470
Modified: 2026-04-27T12:16:20.870
Link: CVE-2026-22016
Redhat
OpenCVE Enrichment
Updated: 2026-04-29T00:30:16Z