The vulnerability resides in the Oracle Application Development Framework (ADF) Faces component and permits a low‑privileged attacker who has logon access to the infrastructure hosting ADF to compromise the entire ADF instance. Exploitation can result in full takeover of the framework, allowing the attacker to read, modify, or delete application data and potentially influence other dependent applications. The impact covers confidentiality, integrity, and availability, as indicated by the CVSS vector, which reflects local attack, low complexity, low privilege, no user interaction, and high impact on all three security objectives.

Oracle Corporation’s Oracle Application Development Framework (ADF) is affected. The vulnerability applies to the ADF Faces feature in supported releases 12.2.1.4.0 and 14.1.2.0.0, which are components of Oracle Fusion Middleware. Systems running these specific versions are susceptible without the pending security update.

The CVSS v3.1 score of 7.8 denotes a high severity vulnerability. While no EPSS score is publicly available, the vulnerability is not listed in the CISA KEV catalog, suggesting it is currently unexploited in the wild. However, the low attacker privilege requirement and local execution nature imply that an attacker who can log into the underlying host can easily exploit the flaw, leading to a full takeover of the ADF instance.