Oracle Rest Data Services — known CVE vulnerabilities
Every CVE whose affected-product data names Oracle Rest Data Services, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (34)
CVE-2026-46840 — CVSS 10.0 (critical): Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0…
CVE-2026-46775 — CVSS 9.9 (critical): Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable…
CVE-2026-46839 — CVSS 9.9 (critical): Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable…
CVE-2017-7658 — CVSS 9.8 (critical): In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when…
CVE-2017-7657 — CVSS 9.8 (critical): In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance…
CVE-2026-35277 — CVSS 8.1 (high): Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable…
CVE-2026-35266 — CVSS 7.9 (high): Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit…
CVE-2021-28165 — CVSS 7.5 (high): In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large…
CVE-2026-46829 — CVSS 7.5 (high): Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily…
CVE-2017-9735 — CVSS 7.5 (high): Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain…
CVE-2021-41184 — CVSS 6.5 (medium): jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the…
CVE-2021-41182 — CVSS 6.5 (medium): jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the…
CVE-2021-41183 — CVSS 6.5 (medium): jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the…
CVE-2020-14744 — CVSS 6.5 (medium): Vulnerability in the Oracle REST Data Services product of Oracle REST Data Services (component: General). Supported versions that are…
CVE-2019-11358 — CVSS 6.1 (medium): jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of…
CVE-2019-10241 — CVSS 6.1 (medium): In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote…
CVE-2019-10219 — CVSS 6.1 (medium): A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of…
CVE-2025-30756 — CVSS 6.1 (medium): Vulnerability in Oracle REST Data Services (component: General). The supported version that is affected is 24.2.0. Easily exploitable…
CVE-2021-32014 — CVSS 5.5 (medium): SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is…
CVE-2021-32012 — CVSS 5.5 (medium): SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that…
CVE-2021-32013 — CVSS 5.5 (medium): SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that…
CVE-2026-46843 — CVSS 5.3 (medium): Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable…
CVE-2026-46830 — CVSS 5.3 (medium): Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily…
CVE-2019-10246 — CVSS 5.3 (medium): In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base…
CVE-2026-46841 — CVSS 5.3 (medium): Vulnerability in Oracle REST Data Services (component: General). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable…
CVE-2026-46842 — CVSS 5.3 (medium): Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable…
CVE-2021-34429 — CVSS 5.3 (medium): For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the…
CVE-2021-28169 — CVSS 5.3 (medium): For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to…
CVE-2020-27223 — CVSS 5.2 (medium): In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple…
CVE-2021-29425 — CVSS 4.8 (medium): In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or…
CVE-2020-27218 — CVSS 4.8 (medium): In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request…
CVE-2020-14745 — CVSS 4.3 (medium): Vulnerability in the Oracle REST Data Services product of Oracle REST Data Services (component: General). Supported versions that are…
CVE-2021-34428 — CVSS 2.9 (low): For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method…