Description
Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
Published: 2026-01-20
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Integrity compromise by unauthorized data modification
Action: Assess Impact
AI Analysis

Impact

The flaw is a cross‑site scripting weakness located within JavaFX, an out‑of‑box component of Oracle Java SE. An attacker can embed malicious code into a Java Web Start or applet image that, when executed by a victim, permits the attacker to update, insert or delete data that the Java runtime can access. Although the attack does not grant arbitrary code execution, it violates the integrity of client‑side data exposed by the Java application.

Affected Systems

The vulnerability affects Oracle Java SE 8u471‑b50, specifically the JavaFX component included in the JDK and JRE distributions. Client environments that run sandboxed Java Web Start applications or applets which load untrusted code from the internet are at risk. Deployments that use Java in server‑only trusted contexts are not impacted.

Risk and Exploitability

The CVSS base score of 3.1 classifies the flaw as Low, and the EPSS score of less than 1 % indicates a very low likelihood of active exploitation. The vulnerability is not listed in the CISA KEV catalog, supporting its low exploitability. Exploitation requires an attacker to deliver malicious JavaFX content to a client and persuade a user to open it; even then the impact is limited to integrity violations rather than remote code execution.

Generated by OpenCVE AI on April 18, 2026 at 04:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle Java SE to the latest patch level that removes the JavaFX cross‑site scripting flaw, for example Java SE 8u471‑b51 or newer.
  • Disable or remove deprecated Java applets and Java Web Start from client environments that do not require them.
  • Restrict client systems from loading untrusted Java content by enforcing strict browser policies or blocking internet access for JavaFX applications.

Generated by OpenCVE AI on April 18, 2026 at 04:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Integrity Compromise via JavaFX in Oracle Java SE 8u471-b50

Thu, 29 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Oracle jdk
Oracle jre
CPEs cpe:2.3:a:oracle:jdk:1.8.0:update471_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471_b50:*:*:-:*:*:*
Vendors & Products Oracle jdk
Oracle jre

Wed, 21 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
First Time appeared Oracle
Oracle java Se
CPEs cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle java Se
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Oracle Java Se Jdk Jre
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T15:09:50.772Z

Reserved: 2026-01-05T18:07:34.712Z

Link: CVE-2026-21947

cve-icon Vulnrichment

Updated: 2026-01-21T15:09:37.780Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:57.620

Modified: 2026-01-29T20:58:40.380

Link: CVE-2026-21947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses