Oracle Application Express — known CVE vulnerabilities
Every CVE whose affected-product data names Oracle Application Express, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (47)
CVE-2008-1822 — CVSS 10.0 (critical): Unspecified vulnerability in the Oracle Application Express component in Oracle Application Express 3.0.1 has unknown impact and remote…
CVE-2023-21975 — CVSS 9.0 (critical): Vulnerability in the Application Express Customers Plugin product of Oracle Application Express (component: User Account). Supported…
CVE-2023-21974 — CVSS 9.0 (critical): Vulnerability in the Application Express Team Calendar Plugin product of Oracle Application Express (component: User Account). Supported…
CVE-2025-50067 — CVSS 9.0 (critical): Vulnerability in Oracle Application Express (component: Strategic Planner Starter App). Supported versions that are affected are 24.2.4 and…
CVE-2021-41164 — CVSS 8.2 (high): CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter…
CVE-2021-41165 — CVSS 8.2 (high): CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module…
CVE-2021-32808 — CVSS 7.6 (high): ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget…
CVE-2021-32723 — CVSS 7.4 (high): Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When…
CVE-2021-37695 — CVSS 7.3 (high): ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake…
CVE-2021-26271 — CVSS 6.5 (medium): It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles…
CVE-2022-24729 — CVSS 6.5 (medium): CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the…
CVE-2021-41184 — CVSS 6.5 (medium): jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the…
CVE-2021-41183 — CVSS 6.5 (medium): jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the…
CVE-2021-41182 — CVSS 6.5 (medium): jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the…
CVE-2021-26272 — CVSS 6.5 (medium): It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the…
CVE-2020-26870 — CVSS 6.1 (medium): Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the…
CVE-2020-27193 — CVSS 6.1 (medium): A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web…
CVE-2020-9281 — CVSS 6.1 (medium): A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject…
CVE-2019-10219 — CVSS 6.1 (medium): A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of…
CVE-2018-2699 — CVSS 6.1 (medium): Vulnerability in the Application Express component of Oracle Database Server. The supported version that is affected is Prior to…
CVE-2016-7103 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via…
CVE-2016-3448 — CVSS 6.1 (medium): Unspecified vulnerability in the Application Express component in Oracle Database Server before 5.0.4 allows remote attackers to affect…
CVE-2019-11358 — CVSS 6.1 (medium): jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of…
CVE-2016-3467 — CVSS 5.8 (medium): Unspecified vulnerability in the Application Express component in Oracle Database Server before 5.0.4 allows remote attackers to affect…
CVE-2023-21983 — CVSS 5.6 (medium): Vulnerability in the Application Express Administration product of Oracle Application Express (component: None). Supported versions that…
CVE-2008-1811 — CVSS 5.5 (medium): Unspecified vulnerability in Oracle Application Express 3.0.1 has unspecified impact and remote authenticated attack vectors related to…
CVE-2021-2460 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express Data Reporter component of Oracle Database Server. The supported version that is affected…
CVE-2020-14899 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express Data Reporter component of Oracle Database Server. The supported version that is affected…
CVE-2020-14898 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express Packaged Apps component of Oracle Database Server. The supported version that is affected…
CVE-2020-14763 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express Quick Poll component of Oracle Database Server. The supported version that is affected is…
CVE-2025-21557 — CVSS 5.4 (medium): Vulnerability in Oracle Application Express (component: General). Supported versions that are affected are 23.2 and 24.1. Easily…
CVE-2020-14762 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express component of Oracle Database Server. The supported version that is affected is Prior to…
CVE-2020-2976 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2…
CVE-2020-2975 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2…
CVE-2020-2974 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2…
CVE-2020-2973 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2…
CVE-2020-2972 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2…
CVE-2020-2971 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2…
CVE-2020-2513 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2…
CVE-2022-24728 — CVSS 5.4 (medium): CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing…
CVE-2020-14900 — CVSS 5.4 (medium): Vulnerability in the Oracle Application Express Group Calendar component of Oracle Database Server. The supported version that is affected…
CVE-2020-7760 — CVSS 5.3 (medium): This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular…
CVE-2024-21261 — CVSS 4.9 (medium): Vulnerability in Oracle Application Express (component: General). Supported versions that are affected are 23.2 and 24.1. Difficult to…
CVE-2020-2977 — CVSS 4.6 (medium): Vulnerability in the Oracle Application Express component of Oracle Database Server. Supported versions that are affected are 5.1-19.2…
CVE-2020-2514 — CVSS 4.6 (medium): Vulnerability in the Oracle Application Express component of Oracle Database Server. The supported version that is affected is Prior to…
CVE-2021-32809 — CVSS 4.6 (medium): ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4…