{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35243", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-04-01T20:03:40.833Z", "datePublished": "2026-04-21T20:35:50.273Z", "dateUpdated": "2026-04-21T20:35:50.273Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:50.273Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF)."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Application Development Framework (ADF)", "versions": [{"version": "12.2.1.4.0", "status": "affected", "versionType": "semver"}, {"version": "14.1.2.0.0", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:application_development_framework:12.2.1.4.0:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:application_development_framework:14.1.2.0.0:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)."}], "id": "CVE-2026-35243", "lastModified": "2026-04-21T21:16:40.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:40.260", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:44:50.931292+00:00", "value": {"mitigation_remediation": ["Apply the Oracle CPU April 2026 security update for ADF (12.2.1.4.0 and 14.1.2.0.0) as documented by Oracle.", "Limit local logon privileges on servers running Oracle ADF to only essential administrative accounts.", "Disable or restrict access to any unnecessary ADF Faces components or services that are not required for production operations."], "summary": {"action": "Apply Patch", "impact": "Compromise of Oracle ADF leading to system takeover"}, "threat_synthesis": {"affected_systems": "Oracle Corporation\u2019s Oracle Application Development Framework (ADF) is affected. The vulnerability applies to the ADF Faces feature in supported releases 12.2.1.4.0 and 14.1.2.0.0, which are components of Oracle Fusion Middleware. Systems running these specific versions are susceptible without the pending security update.", "description_and_impact": "The vulnerability resides in the Oracle Application Development Framework (ADF) Faces component and permits a low\u2011privileged attacker who has logon access to the infrastructure hosting ADF to compromise the entire ADF instance. Exploitation can result in full takeover of the framework, allowing the attacker to read, modify, or delete application data and potentially influence other dependent applications. The impact covers confidentiality, integrity, and availability, as indicated by the CVSS vector, which reflects local attack, low complexity, low privilege, no user interaction, and high impact on all three security objectives.", "risk_and_exploitability": "The CVSS v3.1 score of 7.8 denotes a high severity vulnerability. While no EPSS score is publicly available, the vulnerability is not listed in the CISA KEV catalog, suggesting it is currently unexploited in the wild. However, the low attacker privilege requirement and local execution nature imply that an attacker who can log into the underlying host can easily exploit the flaw, leading to a full takeover of the ADF instance."}}}}, "created": "2026-04-22T04:45:09.356584+00:00", "title": "Low\u2011Privilege Oracle ADF Faces Vulnerability Allows System Takeover", "updated": "2026-04-22T04:45:09.356596+00:00", "vendors": [], "weaknesses": ["CWE-285"]}