CVE-2026-21943 - Vulnerability Details

Description

Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: Scripting Admin). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Scripting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Scripting accessible data as well as unauthorized read access to a subset of Oracle Scripting accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Published: 2026-01-20

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A reflected cross‑site scripting vulnerability exists in the Oracle Scripting Admin component of Oracle E‑Business Suite that allows an unauthenticated attacker with network access to HTTP to compromise the interface. The flaw can result in unauthorized updates, inserts, deletes, or reads of data made available by the Scripting interface. The vulnerability is classified as CWE‑79 and carries a CVSS v3.1 base score of 6.1, indicating moderate impacts on confidentiality and integrity.

Affected Systems

Oracle Corporation’s Oracle Scripting product included in Oracle E‑Business Suite, versions 12.2.3 through 12.2.15, are affected. The vulnerability targets the Scripting Admin component.

Risk and Exploitability

The flaw is easily exploitable over HTTP and requires the attacker to entice a separate authorized user to a crafted URL or input, after which the XSS payload runs in the victim’s browser. The EPSS score is below 1 %, suggesting a low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Nevertheless, the potential for unauthorized data manipulation or leakage remains, warranting prompt attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Scripting

affected

Version	Status	Constraints
`12.2.3`	affected	≤ 12.2.15

Configuration 1 [-]

cpe:2.3:a:oracle:scripting:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Oracle patch released with CPU January 2026 that addresses the XSS flaw in Oracle Scripting
Restrict network exposure of the Scripting Admin interface by limiting inbound HTTP traffic to trusted IP ranges or firewall rules
Enforce strong authentication for all Scripting Admin access and disable or reduce remote administrative functionality when it is not required

Generated by OpenCVE AI on April 18, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Wed, 21 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: Scripting Admin). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Scripting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Scripting accessible data as well as unauthorized read access to a subset of Oracle Scripting accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
First Time appeared		Oracle Oracle scripting
CPEs		cpe:2.3:a:oracle:scripting::::::::
Vendors & Products		Oracle Oracle scripting
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Oracle Scripting

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:27.362Z

Updated: 2026-01-21T15:02:26.204Z

Reserved: 2026-01-05T18:07:34.711Z

Link: CVE-2026-21943

Vulnrichment

Updated: 2026-01-21T15:02:22.622Z

NVD

Status : Analyzed

Published: 2026-01-20T22:15:57.147

Modified: 2026-01-29T20:40:04.880

Link: CVE-2026-21943

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object