{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-21966","assignerOrgId":"43595867-4340-4103-b7a2-9a5208d29a85","state":"PUBLISHED","assignerShortName":"oracle","dateReserved":"2026-01-05T18:07:34.714Z","datePublished":"2026-01-20T21:56:33.912Z","dateUpdated":"2026-01-21T19:54:47.033Z"},"containers":{"cna":{"providerMetadata":{"orgId":"43595867-4340-4103-b7a2-9a5208d29a85","shortName":"oracle","dateUpdated":"2026-01-20T21:56:33.912Z"},"problemTypes":[{"descriptions":[{"lang":"en-US","description":"Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as  unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data."}]}],"affected":[{"vendor":"Oracle Corporation","product":"Oracle Hospitality OPERA 5 Property Services","versions":[{"version":"5.6.19.23","status":"affected","versionType":"semver"},{"version":"5.6.25.17","status":"affected","versionType":"semver"},{"version":"5.6.26.10","status":"affected","versionType":"semver"},{"version":"5.6.27.4","status":"affected","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.19.23:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.25.17:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.26.10:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.27.4:*:*:*:*:*:*:*"}]}]}],"descriptions":[{"lang":"en-US","value":"Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera).  Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and  5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as  unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."}],"references":[{"url":"https://www.oracle.com/security-alerts/cpujan2026.html","name":"Oracle Advisory","tags":["vendor-advisory"]}],"metrics":[{"cvssV3_1":{"attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM"}}]},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-noinfo Not enough information"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-21T19:53:17.895109Z","id":"CVE-2026-21966","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-21T19:54:47.033Z"}}]}}