The version of Oracle Business Intelligence Enterprise Edition 12.2.1.4 installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory.

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (json-smart)). Supported versions that are affected are 7.6.0.0.0, 8.2.0.0.0     and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via     HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2024-57699)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (Apache POI)). Supported versions that are affected are 7.6.0.0.0, 8.2.0.0.0     and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via     multiple protocols to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of     this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS)     of Oracle Business Intelligence Enterprise Edition. (CVE-2025-31672)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Platform Security (Apache Commons Lang)). Supported versions that are affected are 7.6.0.0.0,     8.2.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network     access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this     vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of     Oracle Business Intelligence Enterprise Edition. (CVE-2025-48924)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Intelligence Enterprise Edition (OAS) 8.2.0.0 installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory, including the following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Core (Apache XMLBeans)). The supported version that is affected is 8.2.0.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise     Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2021-23926)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (jackson-core)). Supported versions that are affected are 7.6.0.0.0 and     8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of     Oracle Business Intelligence Enterprise Edition. (CVE-2025-52999)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0.     Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where     Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation,     deletion or modification access to critical data or all Oracle Business Intelligence Enterprise     Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle     Business Intelligence Enterprise Edition accessible data. (CVE-2026-21976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Process Management Suite installed on the remote host is affected by a vulnerability, as referenced in the July 2025 CPU advisory:

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware     (component: Oracle Business Rules (Apache POI)). Supported versions that are affected are 12.2.1.4.0 and     14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability can     result in unauthorized update, insert or delete access to some of Oracle Business Process Management     Suite accessible data. (CVE-2025-31672)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2025 CPU advisory.

  - Vulnerability in the SQLcl (jgit) component of Oracle Database Server. Supported versions that are     affected are 23.4-23.9. Difficult to exploit vulnerability allows low privileged attacker having Valid     account privilege with network access via HTTP to compromise SQLcl (jgit). Successful attacks require     human interaction from a person other than the attacker. Successful attacks of this vulnerability can     result in unauthorized access to critical data or complete access to all SQLcl (jgit) accessible data.
    (CVE-2025-4949)

  - Vulnerability in the RDBMS (Python) component of Oracle Database Server. Supported versions that are     affected are 21.3-21.19 and 23.4-23.9. Easily exploitable vulnerability allows low privileged attacker     having Authenticated User privilege with logon to the infrastructure where RDBMS (Python) executes to     compromise RDBMS (Python). Successful attacks require human interaction from a person other than the     attacker. Successful attacks of this vulnerability can result in takeover of RDBMS (Python).
    (CVE-2024-12254, CVE-2024-12718, CVE-2024-6923, CVE-2024-8088, CVE-2025-1795, CVE-2025-4138,     CVE-2025-4330, CVE-2025-4435, CVE-2025-4517)

  - Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are     19.3-19.28, 21.3-21.19 and 23.4-23.9. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can     result in unauthorized creation, deletion or modification access to critical data or all Java VM     accessible data. (CVE-2025-61881)

  - Vulnerability in the Portable Clusterware component of Oracle Database Server. Supported versions that are     affected are 19.3-19.28, 21.3-21.19 and 23.4-23.9. Easily exploitable vulnerability allows unauthenticated     attacker with network access via Bonjour to compromise Portable Clusterware. While the vulnerability is in     Portable Clusterware, attacks may significantly impact additional products (scope change). Successful     attacks of this vulnerability can result in unauthorized read access to a subset of Portable Clusterware     accessible data. (CVE-2025-53047)

  - Vulnerability in the Unified Audit component of Oracle Database Server. Supported versions that are     affected are 23.4-23.9. Easily exploitable vulnerability allows high privileged attacker having DBA     privilege with network access via Oracle Net to compromise Unified Audit. Successful attacks of this     vulnerability can result in unauthorized update, insert or delete access to some of Unified Audit     accessible data. (CVE-2025-61749)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Intelligence Enterprise Edition (OAS) 7.6.0.0 installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory, including the following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Platform Security (OpenSSL)). Supported versions that are affected are 7.6.0.0.0, 8.2.0.0.0     and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access     via TLS to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2025-9230)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (jackson-core)). Supported versions that are affected are 7.6.0.0.0 and     8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of     Oracle Business Intelligence Enterprise Edition. (CVE-2025-52999)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0.     Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where     Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation,     deletion or modification access to critical data or all Oracle Business Intelligence Enterprise     Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle     Business Intelligence Enterprise Edition accessible data. (CVE-2026-21976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache POI installed on the remote host is a version prior to 5.4.0. It is, therefore, affected by an improper input validation vulnerability. The issue affects the parsing of OOXML format files like xlsx, docx, and pptx. These file formats are essentially zip files, and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In such cases, products reading the affected file could read different data because one of the zip entries with the duplicate name is selected over another, but different products may choose a different zip entry. This issue affects Apache POI poi-ooxml before 5.4.0. Version 5.4.0 introduces a check that throws an exception if zip entries with duplicate file names are found in the input file.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of SAP BusinessObjects Business Intelligence Platform installed on the remote host is prior to 2025 SP000 000500, 4.3 SP004 001400, or 4.3 SP005 000200. It is, therefore, affected by a vulnerability as referenced in the 3617142 advisory. 

  - Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format     files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for     malicious users to add zip entries with duplicate names (including the path) in the zip. In this case,     products reading the affected file could read different data because 1 of the zip entries with the     duplicate name is selected over another but different products may choose a different zip entry.     (CVE-2025-31672)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files     like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious     users to add zip entries with duplicate names (including the path) in the zip. In this case, products     reading the affected file could read different data because 1 of the zip entries with the duplicate name     is selected over another but different products may choose a different zip entry. This issue affects     Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries     with duplicate file names are found in the input file. Users are recommended to upgrade to version poi-     ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations     about how to use the POI libraries securely. (CVE-2025-31672)

Note that Nessus relies on the presence of the package as reported by the vendor.

The 7.6.0.0.0 and 8.2.0.0.0 versions of Oracle Business Intelligence Publisher installed on the remote host are affected by a vulnerability as referenced in the January 2026 CPU advisory.

  - Security-in-Depth issue in the Oracle BI Publisher product of Oracle Analytics (component: Development     Operations (Apache Tomcat)). The Spring Framework annotation detection mechanism may not correctly resolve annotations     on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such     annotations are used for authorization decisions. Your application may be affected by this if you are using Spring     Security's @EnableMethodSecurity feature. (CVE-2025-41249)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
296369	Oracle Business Intelligence Enterprise Edition (12.2.1.4) (January 2026 CPU)	Nessus	Misc.	1/23/2026	4/30/2026	medium
296368	Oracle Business Intelligence Enterprise Edition (OAS 8.2) (January 2026 CPU)	Nessus	Misc.	1/23/2026	4/30/2026	high
242326	Oracle Business Process Management Suite (July 2025 CPU)	Nessus	Misc.	7/18/2025	1/22/2026	medium
271256	Oracle Database Server (October 2025 CPU)	Nessus	Databases	10/23/2025	2/24/2026	high
296370	Oracle Business Intelligence Enterprise Edition (OAS 7.6) (January 2026 CPU)	Nessus	Misc.	1/23/2026	4/30/2026	high
234190	Apache POI < 5.4.0 Improper Input Validation	Nessus	Misc.	4/11/2025	1/20/2026	medium
271808	SAP BusinessObjects Business Intelligence Platform Deserialization (3617142)	Nessus	Windows	10/28/2025	10/28/2025	medium
234194	Linux Distros Unpatched Vulnerability : CVE-2025-31672	Nessus	Misc.	4/11/2025	4/29/2026	medium
296415	Oracle Business Intelligence Publisher (January 2026 CPU)	Nessus	Misc.	1/23/2026	4/30/2026	high

Detections

Analytics

Plugins Search

medium

high

medium

high

high

medium

medium

medium

high