The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .

oracle CPUJan2026: Business Intelligence Enterprise Edition

The 7.6.0.0.0 and 8.2.0.0.0 versions of Oracle Business Intelligence Publisher installed on the remote host are affected by a vulnerability as referenced in the January 2026 CPU advisory.

  - Security-in-Depth issue in the Oracle BI Publisher product of Oracle Analytics (component: Development     Operations (Apache Tomcat)). The Spring Framework annotation detection mechanism may not correctly resolve annotations     on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such     annotations are used for authorization decisions. Your application may be affected by this if you are using Spring     Security's @EnableMethodSecurity feature. (CVE-2025-41249)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle Business Intelligence Enterprise Edition (OAS) 7.6.0.0 installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory, including the following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Platform Security (OpenSSL)). Supported versions that are affected are 7.6.0.0.0, 8.2.0.0.0     and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access     via TLS to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2025-9230)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (jackson-core)). Supported versions that are affected are 7.6.0.0.0 and     8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of     Oracle Business Intelligence Enterprise Edition. (CVE-2025-52999)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0.     Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where     Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation,     deletion or modification access to critical data or all Oracle Business Intelligence Enterprise     Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle     Business Intelligence Enterprise Edition accessible data. (CVE-2026-21976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Intelligence Enterprise Edition (OAS) 8.2.0.0 installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory, including the following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Core (Apache XMLBeans)). The supported version that is affected is 8.2.0.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise     Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2021-23926)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (jackson-core)). Supported versions that are affected are 7.6.0.0.0 and     8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of     Oracle Business Intelligence Enterprise Edition. (CVE-2025-52999)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0.     Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where     Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation,     deletion or modification access to critical data or all Oracle Business Intelligence Enterprise     Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle     Business Intelligence Enterprise Edition accessible data. (CVE-2026-21976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The versions of Primavera Gateway installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory.

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Apache Log4j)). Supported versions that are affected are 21.12.0-21.12.16. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via TLS to compromise Primavera Gateway.
    While the vulnerability is in Primavera Gateway, attacks may significantly impact additional products     (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or     delete access to some of Primavera Gateway accessible data as well as unauthorized read access to a subset     of Primavera Gateway accessible data. (CVE-2025-68161)

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Spring Framework)). Supported versions that are affected are 21.12.0-21.12.16. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera     Gateway. Successful attacks of this vulnerability can result in unauthorized access to critical data or     complete access to all Primavera Gateway accessible data. (CVE-2025-41249)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 12.2.1.4.0 and 14.1.2.1.0 versions of Identity Manager installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory.

  - Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Installer     (Spring Framework)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Identity Manager. Successful attacks of this vulnerability can result in unauthorized access to     critical data or complete access to all Oracle Identity Manager accessible data. (CVE-2025-41249)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The versions of Primavera Unifier installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory.

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component:
    Integration (Apache Tika)). Supported versions that are affected are 21.12.0-21.12.17, 22.12.0-22.12.15,     23.12.0-23.12.16, 24.12.0-24.12.12 and 25.12.0. Easily exploitable vulnerability allows unauthenticated     attacker with network access via HTTP to compromise Primavera Unifier. While the vulnerability is in     Primavera Unifier, attacks may significantly impact additional products (scope change). Successful attacks     of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera     Unifier accessible data as well as unauthorized read access to a subset of Primavera Unifier accessible     data and unauthorized ability to cause a partial denial of service (partial DOS) of Primavera Unifier.
    (CVE-2025-66516)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Reports     (iTextPDF)). Supported versions that are affected are 21.12.0-21.12.17, 22.12.0-22.12.15,     23.12.0-23.12.16, 24.12.0-24.12.12 and 25.12.0. Easily exploitable vulnerability allows unauthenticated     attacker with network access via HTTPS to compromise Primavera Unifier. Successful attacks of this     vulnerability can result in takeover of Primavera Unifier. (CVE-2021-43113)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component:
    Integration (Spring Framework)). Supported versions that are affected are 22.12.0-22.12.15,     23.12.0-23.12.16, 24.12.0-24.12.12 and 25.12.0. Easily exploitable vulnerability allows unauthenticated     attacker with network access via HTTP to compromise Primavera Unifier. Successful attacks of this     vulnerability can result in unauthorized access to critical data or complete access to all Primavera     Unifier accessible data. (CVE-2025-41242, CVE-2025-41249)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 versions of WebLogic Server installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory.

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (Eclipse Jersey)). Supported versions that are affected are 14.1.1.0.0, 14.1.2.0.0 and     15.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via     HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in     unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server     accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic     Server accessible data. (CVE-2025-12383)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (Apache Commons FileUpload)). Supported versions that are affected are 12.2.1.4.0 and     14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.
    (CVE-2025-48976)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core (Spring     Framework)). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized     access to critical data or complete access to all Oracle WebLogic Server accessible data. (CVE-2025-41249)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods     within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if     such annotations are used for authorization decisions. Your application may be affected by this if you are     using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using     @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or     generic interfaces. This CVE is published in conjunction with CVE-2025-41248     https://spring.io/security/cve-2025-41248 . (CVE-2025-41249)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Spring Framework installed on the remote host is 5.3.x prior to 5.3.45, 6.1.x prior to 6.1.23, or 6.2.x prior to 6.2.11. It is, therefore, affected by an annotation detection vulnerability:

  - The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type     hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are     used for authorization decisions. Your application may be affected by this if you are using Spring Security's     @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do     not use security annotations on methods in generic superclasses or generic interfaces. 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
296415	Oracle Business Intelligence Publisher (January 2026 CPU)	Nessus	Misc.	high
296370	Oracle Business Intelligence Enterprise Edition (OAS 7.6) (January 2026 CPU)	Nessus	Misc.	high
296368	Oracle Business Intelligence Enterprise Edition (OAS 8.2) (January 2026 CPU)	Nessus	Misc.	high
296366	Oracle Primavera Gateway (January 2026 CPU)	Nessus	CGI abuses	medium
296246	Oracle Identity Manager (January 2026 CPU)	Nessus	Misc.	high
295029	Oracle Primavera Unifier (January 2026 CPU)	Nessus	CGI abuses	critical
294869	Oracle WebLogic Server (January 2026 CPU)	Nessus	Misc.	critical
265596	Linux Distros Unpatched Vulnerability : CVE-2025-41249	Nessus	Misc.	high
265379	Spring Framework 5.3.x < 5.3.45 / 6.1.x < 6.1.23 / 6.2.x < 6.2.11 Annotation Detection Vulnerability (CVE-2025-41249)	Nessus	Misc.	high

Detections

Analytics

CVE-2025-41249

high

Tenable Plugins

Coming Soon

high

high

high

medium

high

critical

critical

high

high