Description
Vulnerability in the Oracle APEX Sample Applications product of Oracle APEX (component: Brookstrut Sample App). Supported versions that are affected are 23.2.0, 23.2.1, 24.1.0, 24.2.0 and 24.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle APEX Sample Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle APEX Sample Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle APEX Sample Applications accessible data as well as unauthorized read access to a subset of Oracle APEX Sample Applications accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-01-20
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Manipulation and Read via HTTP
Action: Assess Impact
AI Analysis

Impact

The vulnerability in Oracle APEX Sample Applications' Brookstrut Sample App allows an attacker with low privileges and network access to HTTP to perform unauthorized update, insert, delete and read operations on accessible data. The flaw can be exploited only when an additional human actor interacts with the application, implying a social engineering component. Successful exploitation leads to confidentiality and integrity impacts to a subset of data.

Affected Systems

Oracle Corporation's Oracle APEX Sample Applications, specifically the Brookstrut Sample App, in versions 23.2.0, 23.2.1, 24.1.0, 24.2.0 and 24.2.1.

Risk and Exploitability

CVSS 3.1 base score of 5.4 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not currently listed in the KEV catalog. The attack vector is likely HTTP network access, with low privileged user and human interaction from a non-attacker, indicating that social engineering or phishing may be needed. Because the flaw can change the integrity scope, unpatched systems could be exposed to unauthorized data modification if exploited, but the overall risk remains moderate.

Generated by OpenCVE AI on April 18, 2026 at 04:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Oracle APEX security patch or update that addresses the Brookstrut Sample App flaw.
  • Block or restrict external HTTP traffic to the APEX Sample Application environment, limiting exposure to trusted sources only.
  • Enforce strict access controls on the Sample Application, ensuring that low privileged users cannot execute update, insert or delete actions, and review permissions regularly.
  • Disable or remove the Brookstrut Sample App if it is not required, reducing the attack surface.
  • Monitor logs for suspicious activity involving unauthorized data access or modification and investigate anomalies.

Generated by OpenCVE AI on April 18, 2026 at 04:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Oracle apex
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:oracle:apex:23.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:apex:23.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:apex:24.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:apex:24.2.1:*:*:*:*:*:*:*
Vendors & Products Oracle apex

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle APEX Sample Applications product of Oracle APEX (component: Brookstrut Sample App). Supported versions that are affected are 23.2.0, 23.2.1, 24.1.0, 24.2.0 and 24.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle APEX Sample Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle APEX Sample Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle APEX Sample Applications accessible data as well as unauthorized read access to a subset of Oracle APEX Sample Applications accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle apex Sample Applications
CPEs cpe:2.3:a:oracle:apex_sample_applications:23.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:apex_sample_applications:23.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:apex_sample_applications:24.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:apex_sample_applications:24.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:apex_sample_applications:24.2.1:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle apex Sample Applications
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Apex Apex Sample Applications
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T20:55:14.477Z

Reserved: 2026-01-05T18:07:34.709Z

Link: CVE-2026-21931

cve-icon Vulnrichment

Updated: 2026-01-21T20:55:11.812Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:55.667

Modified: 2026-01-29T21:15:55.080

Link: CVE-2026-21931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses