VDB
CVE-2026-21939
CVE-2026-21939
PUBLISHED
CVSS 7 HIGH
Vulnerability in the SQLcl component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.0. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where SQLcl executes to compromise SQLcl. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of SQLcl. CVSS 3.1 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
EPSS 0.02% · 5.1th percentile
Risk Scores
CVSS 3.1
7
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
0.02%
5.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle Corporation | Oracle Database Server | 23.4.0 |
| oracle | database_-_sqlcl | 23.4.0 |
| oracle | database_server | 23.4, 23.4 |
Exploit Intelligence
- CIRCL seen: CVE-2026-21939 (circl-sighting)
- CIRCL seen: CVE-2026-21939 (circl-sighting)
- CIRCL seen: CVE-2026-21939 (circl-sighting)
- Oracle Advisory (circl)
Timeline
- CVE Published
- Jan 21, 2026 EPSS Score
- Jan 21, 2026 PoC Published
- Jan 21, 2026 PoC Published
- Jan 21, 2026 PoC Published
- Jan 24, 2026 EPSS Score
- Jan 26, 2026 EPSS Score
- Jan 29, 2026 EPSS Score
- Feb 1, 2026 EPSS Score
- Feb 4, 2026 EPSS Score
- Feb 6, 2026 EPSS Score
- Feb 9, 2026 EPSS Score
References
- Oracle Advisory vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-21939 advisory