Description
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-04-21
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Platform Compromise
Action: Patch
AI Analysis

Impact

An easily exploitable flaw in the Event Management component of Oracle Enterprise Manager Base Platform allows an attacker who already possesses high privileges and can reach the system over a network to take over the platform. The vulnerability can lead to the compromise of confidentiality, integrity, and availability of the affected system.

Affected Systems

Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 are affected.

Risk and Exploitability

The CVSS base score of 9.1 indicates a very high severity. The exploit vector is network-based HTTP access, requiring the attacker to already have high privileges. The EPSS score of less than 1% implies a very low exploitation probability at this time, yet the high score, lack of KEV listing, and potential impact on additional products mean that advanced threat actors may still consider this vulnerability.

Generated by OpenCVE AI on April 28, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle Enterprise Manager Base Platform patch or upgrade to a non‑affected version, and verify that the Event Management component enforces authentication for all sensitive operations to mitigate CWE‑306.
  • Restrict HTTP access to the Event Management component by configuring firewalls or network segmentation to limit who can reach the vulnerable interfaces.
  • Disable or remove the Event Management feature if it is not required for your environment to eliminate the attack surface.

Generated by OpenCVE AI on April 28, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title Event Management Remote Platform Compromise in Oracle Enterprise Manager Base Platform (13.5/24.1)
Weaknesses CWE-284

Fri, 24 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:24.1.0.0.0:*:*:*:*:*:*:*

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 22 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Event Management Remote Platform Compromise in Oracle Enterprise Manager Base Platform (13.5/24.1)

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle enterprise Manager Base Platform
CPEs cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:24.1:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle enterprise Manager Base Platform
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Enterprise Manager Base Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T14:20:26.979Z

Reserved: 2026-03-26T19:48:45.675Z

Link: CVE-2026-34279

cve-icon Vulnrichment

Updated: 2026-04-22T14:20:23.896Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:32.180

Modified: 2026-04-24T16:43:19.373

Link: CVE-2026-34279

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:30:26Z

Weaknesses