mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.

oracle CPUApr2026: Business Intelligence Enterprise Edition

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:14873 advisory.

    Red Hat Satellite is a system management solution that allows organizations     to configure and maintain their systems without the necessity to provide     public Internet access to their servers or other client systems. It     performs provisioning and configuration management of predefined standard     operating environments.

    Security Fix(es):

    * python-pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image (CVE-2026-25990)

    * candlepin: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects     (CVE-2026-27727)

    * python-markdown: denial of service via malformed HTML-like sequences (CVE-2025-69534)

    * python-pyOpenSSL: DTLS cookie callback buffer overflow (CVE-2026-27459)

    * rubygem-activesupport: Active Support: Denial of Service via large scientific notation strings     (CVE-2026-33176)

    Bug Fix(es):

    * Satellite manifest consumer profile cert and key found in satellite client rhsm cache (SAT-43920)

    * All communication should happen only over https during global registration execution (SAT-43921)

    * Impossible to generate registration command via REST API in isolated networks managed by external     capsules (SAT-43922)

    * Errata applicability and Refresh applicability tasks for RHEL 7 hosts runs dnf command. (SAT-43923)

    * BIOS info is not populated in All hosts page and in Host Details tab (SAT-43925)

    * Executing the 'katello::clean_backend_objects' rake task takes a long time to complete (SAT-43926)

    * Puppet fact parser can't create OS entry blocking Satellite leapp upgrades (SAT-43928)

    * No repositories available through subscriptions on a cloud-instance host after registering it to Red Hat     Satellite using global registration method (SAT-43929)

    * Proxy password shown in clear text in the Overview page of Virt-who Configuration (SAT-43931)

    * Non-admin users on Satellite with viewer role, unable to see the hostgroup. (SAT-44039)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:14874 advisory.

    Red Hat Satellite is a system management solution that allows organizations     to configure and maintain their systems without the necessity to provide     public Internet access to their servers or other client systems. It     performs provisioning and configuration management of predefined standard     operating environments.

    Security Fix(es):

    * python-pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image (CVE-2026-25990)

    * candlepin: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects     (CVE-2026-27727)

    * python-markdown: denial of service via malformed HTML-like sequences (CVE-2025-69534)

    * python-pyOpenSSL: DTLS cookie callback buffer overflow (CVE-2026-27459)

    * rubygem-activesupport: Active Support: Denial of Service via large scientific notation strings     (CVE-2026-33176)

    Bug Fix(es):

    * Satellite manifest consumer profile cert and key found in satellite client rhsm cache (SAT-43030)

    * All communication should happen only over https during global registration execution (SAT-44031)

    * Impossible to generate registration command via REST API in isolated networks managed by external     capsules (SAT-44032)

    * Executing the 'katello::clean_backend_objects' rake task takes a long time to complete (SAT-44033)

    * Puppet fact parser can't create OS entry blocking Satellite leapp upgrades (SAT-44035)

    * No repositories available through subscriptions on a cloud-instance host after registering it to Red Hat     Satellite using global registration method (SAT-44036)

    * Proxy password shown in clear text in the Overview page of Virt-who Configuration (SAT-43834)

    * Non-admin users on Satellite with viewer role, unable to see the hostgroup. (SAT-44034)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Intelligence Enterprise Edition (OAS) 7.6.0.0.0 installed on the remote host is affected by multiple vulnerabilities as referenced in the April 2026 CPU advisory.

  - mchange-commons-java, a library that provides Java utilities, includes code that mirrors early     implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by     which code can be downloaded and invoked within a running application. If an attacker can provoke an     application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke     the download and execution of malicious code. Implementations of this functionality within the JDK were     disabled by default behind a System property that defaults to `false`,     `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent     implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that     implementation could be provoked to download and execute malicious code even after the JDK was hardened.
    Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters     that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions     prior to 0.4.0 should be avoided on application CLASSPATHs. (CVE-2026-27727)

  - Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure     vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system     temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all     other users locally on the system. As such, if the contents written is security sensitive, it can be     disclosed to other local users. (CVE-2021-28168)

  - In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource     consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter     (PBKDF2) component. (CVE-2023-52428)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Intelligence Enterprise Edition (OAS) 8.2.0.0.0 installed on the remote host is affected by multiple vulnerabilities as referenced in the April 2026 CPU advisory.

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Platform Security (Eclipse Jersey)). Supported versions that are affected are 7.6.0.0.0 and     8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the     infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle     Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise     Edition accessible data. (CVE-2021-28168)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Platform Security (Mchange Commons Java)). Supported versions that are affected are 7.6.0.0.0     and 8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via     LDAP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this     vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. (CVE-2026-27727)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: BI Platform Security (OpenSSL)). The supported version that is affected is 8.2.0.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle     Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other     than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Business     Intelligence Enterprise Edition. (CVE-2025-15467)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0855-1 advisory.

    c3p0:

    - Security issues fixed:

      - CVE-2026-27830: Fixed unsafe object deserialization (bsc#1258942)

    - Fix the null pointer exception in the userOverridesAsString       method (bsc#1259313).

    mchange-commons:

    - Security issues fixed:

      - CVE-2026-27727: Disabled remote ClassLoading when dereferencing javax.naming.Reference instances     (bsc#1258913)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
313174	RHEL 9 : Satellite 6.17.8 Async Update (Important) (RHSA-2026:14873)	Nessus	Red Hat Local Security Checks	critical
313105	RHEL 8 / 9 : Satellite 6.16.8 Async Update (Important) (RHSA-2026:14874)	Nessus	Red Hat Local Security Checks	critical
309965	Oracle Business Intelligence Enterprise Edition (OAS 7.6) (April 2026 CPU)	Nessus	Misc.	high
309964	Oracle Business Intelligence Enterprise Edition (OAS 8.2) (April 2026 CPU)	Nessus	Misc.	high
301811	openSUSE 15 Security Update : c3p0 and mchange-commons (SUSE-SU-2026:0855-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2026-27727

high

Tenable Plugins

Coming Soon

critical

critical

high

high

high