The version of AOS installed on the remote host is prior to 7.5.1. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-7.5.1 advisory.

  - A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in     the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow.
    The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The     identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended     to deploy a patch. The code maintainer replied with [f]ixed for 2.46. (CVE-2025-11083)

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

  - The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing     hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled     SSRF if a URL is processed by more than one URL parser. (CVE-2024-11168)

  - CPython 3.9 and earlier doesn't disallow configuring an empty list ([]) for     SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a     buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity     due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically     a protocol name would be configured). (CVE-2024-5642)

  - A vulnerability has been found in the CPython `venv` module and CLI where path names provided when     creating a virtual environment were not quoted properly, allowing the creator to inject commands into     virtual environment activation scripts (ie source venv/bin/activate). This means that attacker-     controlled virtual environments are able to run commands when the virtual environment is activated.
    Virtual environments which are not created by an attacker or which aren't activated before being used (ie     ./venv/bin/python) are not affected. (CVE-2024-9287)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 7.5.0.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-7.5.0.5 advisory.

  - Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker     to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0     through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1     through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1. (CVE-2025-40778)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u461,     8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM     Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network     access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical     data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g.,     through a web service which supplies data to the APIs. This vulnerability also applies to Java     deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets,     that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox     for security. (CVE-2025-53066)

  - Spring Framework MVC applications can be vulnerable to a Path Traversal Vulnerability when deployed on a     non-compliant Servlet container. An application can be vulnerable when all the following are true: * the     application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not     reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-     spec-6.1.html#uri-path-canonicalization * the application serves static resources     https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title     with Spring resource handling We have verified that applications deployed on Apache Tomcat or Eclipse     Jetty are not vulnerable, as long as default security features are not disabled in the configuration.
    Because we cannot check exploits against all Servlet containers and configuration variants, we strongly     recommend upgrading your application. (CVE-2025-41242)

  - libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small     document that is submitted for parsing. (CVE-2025-59375)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u461,     8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM     Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with     network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion     or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM     Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the     specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also     applies to Java deployments, typically in clients running sandboxed Java Web Start applications or     sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and     rely on the Java sandbox for security. (CVE-2025-53057)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods     within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if     such annotations are used for authorization decisions. Your application may be affected by this if you are     using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using     @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or     generic interfaces. This CVE is published in conjunction with CVE-2025-41248     https://spring.io/security/cve-2025-41248 . (CVE-2025-41249)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-102132 advisory.

  - The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods     within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if     such annotations are used for authorization decisions. Your application may be affected by this if you are     using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using     @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or     generic interfaces. This CVE is published in conjunction with CVE-2025-41248     https://spring.io/security/cve-2025-41248 . (CVE-2025-41249)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle Business Intelligence Enterprise Edition (OAS) 8.2.0.0 installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory, including the following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Core (Apache XMLBeans)). The supported version that is affected is 8.2.0.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise     Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2021-23926)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (jackson-core)). Supported versions that are affected are 7.6.0.0.0 and     8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of     Oracle Business Intelligence Enterprise Edition. (CVE-2025-52999)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0.     Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where     Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation,     deletion or modification access to critical data or all Oracle Business Intelligence Enterprise     Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle     Business Intelligence Enterprise Edition accessible data. (CVE-2026-21976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Spring Framework installed on the remote host is 5.3.x prior to 5.3.45, 6.1.x prior to 6.1.23, or 6.2.x prior to 6.2.11. It is, therefore, affected by an annotation detection vulnerability:

  - The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type     hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are     used for authorization decisions. Your application may be affected by this if you are using Spring Security's     @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do     not use security annotations on methods in generic superclasses or generic interfaces. 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The versions of Primavera Gateway installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory.

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Apache Log4j)). Supported versions that are affected are 21.12.0-21.12.16. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via TLS to compromise Primavera Gateway.
    While the vulnerability is in Primavera Gateway, attacks may significantly impact additional products     (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or     delete access to some of Primavera Gateway accessible data as well as unauthorized read access to a subset     of Primavera Gateway accessible data. (CVE-2025-68161)

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Spring Framework)). Supported versions that are affected are 21.12.0-21.12.16. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera     Gateway. Successful attacks of this vulnerability can result in unauthorized access to critical data or     complete access to all Primavera Gateway accessible data. (CVE-2025-41249)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 7.0.1.13. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-7.0.1.13 advisory.

  - Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker     to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0     through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1     through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1. (CVE-2025-40778)

  - The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods     within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if     such annotations are used for authorization decisions. Your application may be affected by this if you are     using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using     @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or     generic interfaces. This CVE is published in conjunction with CVE-2025-41248     https://spring.io/security/cve-2025-41248 . (CVE-2025-41249)

  - Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was     introduced which means that the entire temporary file is read into memory and then logged. An attacker     might be able to exploit this to cause a denial of service attack by causing an out of memory exception.
    In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials     from being cached unencrypted on the local filesystem, however this bug means that the cached files are     written out to logs unencrypted. Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or     4.1.1, which fixes this issue. (CVE-2025-48795)

  - Spring Framework MVC applications can be vulnerable to a Path Traversal Vulnerability when deployed on a     non-compliant Servlet container. An application can be vulnerable when all the following are true: * the     application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not     reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-     spec-6.1.html#uri-path-canonicalization * the application serves static resources     https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title     with Spring resource handling We have verified that applications deployed on Apache Tomcat or Eclipse     Jetty are not vulnerable, as long as default security features are not disabled in the configuration.
    Because we cannot check exploits against all Servlet containers and configuration variants, we strongly     recommend upgrading your application. (CVE-2025-41242)

  - libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small     document that is submitted for parsing. (CVE-2025-59375)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 versions of WebLogic Server installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory.

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (Eclipse Jersey)). Supported versions that are affected are 14.1.1.0.0, 14.1.2.0.0 and     15.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via     HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in     unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server     accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic     Server accessible data. (CVE-2025-12383)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (Apache Commons FileUpload)). Supported versions that are affected are 12.2.1.4.0 and     14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.
    (CVE-2025-48976)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core (Spring     Framework)). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized     access to critical data or complete access to all Oracle WebLogic Server accessible data. (CVE-2025-41249)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 12.2.1.4.0 and 14.1.2.1.0 versions of Identity Manager installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory.

  - Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Installer     (Spring Framework)). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Identity Manager. Successful attacks of this vulnerability can result in unauthorized access to     critical data or complete access to all Oracle Identity Manager accessible data. (CVE-2025-41249)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 7.6.0.0.0 and 8.2.0.0.0 versions of Oracle Business Intelligence Publisher installed on the remote host are affected by a vulnerability as referenced in the January 2026 CPU advisory.

  - Security-in-Depth issue in the Oracle BI Publisher product of Oracle Analytics (component: Development     Operations (Apache Tomcat)). The Spring Framework annotation detection mechanism may not correctly resolve annotations     on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such     annotations are used for authorization decisions. Your application may be affected by this if you are using Spring     Security's @EnableMethodSecurity feature. (CVE-2025-41249)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 7.3.1.4. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-7.3.1.4 advisory.

  - Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker     to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0     through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1     through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1. (CVE-2025-40778)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u461,     8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM     Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network     access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical     data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g.,     through a web service which supplies data to the APIs. This vulnerability also applies to Java     deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets,     that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox     for security. (CVE-2025-53066)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u461,     8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM     Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with     network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion     or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM     Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the     specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also     applies to Java deployments, typically in clients running sandboxed Java Web Start applications or     sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and     rely on the Java sandbox for security. (CVE-2025-53057)

  - Spring Framework MVC applications can be vulnerable to a Path Traversal Vulnerability when deployed on a     non-compliant Servlet container. An application can be vulnerable when all the following are true: * the     application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not     reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-     spec-6.1.html#uri-path-canonicalization * the application serves static resources     https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title     with Spring resource handling We have verified that applications deployed on Apache Tomcat or Eclipse     Jetty are not vulnerable, as long as default security features are not disabled in the configuration.
    Because we cannot check exploits against all Servlet containers and configuration variants, we strongly     recommend upgrading your application. (CVE-2025-41242)

  - libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small     document that is submitted for parsing. (CVE-2025-59375)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Intelligence Enterprise Edition (OAS) 7.6.0.0 installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory, including the following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Platform Security (OpenSSL)). Supported versions that are affected are 7.6.0.0.0, 8.2.0.0.0     and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access     via TLS to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2025-9230)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (jackson-core)). Supported versions that are affected are 7.6.0.0.0 and     8.2.0.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of     Oracle Business Intelligence Enterprise Edition. (CVE-2025-52999)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0.     Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where     Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation,     deletion or modification access to critical data or all Oracle Business Intelligence Enterprise     Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle     Business Intelligence Enterprise Edition accessible data. (CVE-2026-21976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The versions of Primavera Unifier installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory.

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component:
    Integration (Apache Tika)). Supported versions that are affected are 21.12.0-21.12.17, 22.12.0-22.12.15,     23.12.0-23.12.16, 24.12.0-24.12.12 and 25.12.0. Easily exploitable vulnerability allows unauthenticated     attacker with network access via HTTP to compromise Primavera Unifier. While the vulnerability is in     Primavera Unifier, attacks may significantly impact additional products (scope change). Successful attacks     of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera     Unifier accessible data as well as unauthorized read access to a subset of Primavera Unifier accessible     data and unauthorized ability to cause a partial denial of service (partial DOS) of Primavera Unifier.
    (CVE-2025-66516)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: Reports     (iTextPDF)). Supported versions that are affected are 21.12.0-21.12.17, 22.12.0-22.12.15,     23.12.0-23.12.16, 24.12.0-24.12.12 and 25.12.0. Easily exploitable vulnerability allows unauthenticated     attacker with network access via HTTPS to compromise Primavera Unifier. Successful attacks of this     vulnerability can result in takeover of Primavera Unifier. (CVE-2021-43113)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component:
    Integration (Spring Framework)). Supported versions that are affected are 22.12.0-22.12.15,     23.12.0-23.12.16, 24.12.0-24.12.12 and 25.12.0. Easily exploitable vulnerability allows unauthenticated     attacker with network access via HTTP to compromise Primavera Unifier. Successful attacks of this     vulnerability can result in unauthorized access to critical data or complete access to all Primavera     Unifier accessible data. (CVE-2025-41242, CVE-2025-41249)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
305057	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-7.5.1)	Nessus	Misc.	4/6/2026	4/7/2026	medium
299031	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-7.5.0.5)	Nessus	Misc.	2/13/2026	4/2/2026	high
265596	Linux Distros Unpatched Vulnerability : CVE-2025-41249	Nessus	Misc.	9/20/2025	4/29/2026	high
299659	Atlassian Confluence 7.19.x < 9.2.14 / 9.2.15 / 9.3.x < 10.2.3 / 10.2.6 (CONFSERVER-102132)	Nessus	CGI abuses	2/20/2026	2/20/2026	high
296368	Oracle Business Intelligence Enterprise Edition (OAS 8.2) (January 2026 CPU)	Nessus	Misc.	1/23/2026	3/4/2026	high
265379	Spring Framework 5.3.x < 5.3.45 / 6.1.x < 6.1.23 / 6.2.x < 6.2.11 Annotation Detection Vulnerability (CVE-2025-41249)	Nessus	Misc.	9/18/2025	1/21/2026	high
296366	Oracle Primavera Gateway (January 2026 CPU)	Nessus	CGI abuses	1/23/2026	1/26/2026	medium
299020	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-7.0.1.13)	Nessus	Misc.	2/13/2026	3/10/2026	high
294869	Oracle WebLogic Server (January 2026 CPU)	Nessus	Misc.	1/21/2026	3/3/2026	critical
296246	Oracle Identity Manager (January 2026 CPU)	Nessus	Misc.	1/23/2026	1/26/2026	high
296415	Oracle Business Intelligence Publisher (January 2026 CPU)	Nessus	Misc.	1/23/2026	3/4/2026	high
299029	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-7.3.1.4)	Nessus	Misc.	2/13/2026	2/13/2026	high
296370	Oracle Business Intelligence Enterprise Edition (OAS 7.6) (January 2026 CPU)	Nessus	Misc.	1/23/2026	3/4/2026	high
295029	Oracle Primavera Unifier (January 2026 CPU)	Nessus	CGI abuses	1/22/2026	1/26/2026	critical

Detections

Analytics

Plugins Search

medium

high

high

high

high

high

medium

high

critical

high

high

high

high

critical