PatchSiren cyber security CVE debrief
CVE-2026-35253 Oracle CVE debrief
CVE-2026-35253 is a medium-severity vulnerability in Oracle's Macoron Tool, published on 2026-05-06 and last modified on 2026-05-10. The NVD entry identifies version v0.22.0 as affected and describes an unauthenticated network-access attack over HTTP that can cause the tool to fail host address validation. The record was still listed as "Undergoing Analysis" in the provided source corpus at the time of the last modification.
- Vendor
- Oracle
- Product
- CVE-2026-35253
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-06
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-06
- Advisory updated
- 2026-05-10
Who should care
Operators or developers using Oracle Macoron Tool v0.22.0, especially where the service is reachable over HTTP from untrusted networks. Security teams responsible for validating host-address checks and exposure of externally reachable management or application endpoints should prioritize review.
Technical summary
The NVD record maps the issue to CPE cpe:2.3:a:oracle:macoron:0.22.0 and assigns CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N. The weakness is recorded as CWE-601 with a secondary CWE-346 reference. Based on the supplied description, an unauthenticated attacker with network access via HTTP can trigger behavior that causes Oracle Macoron Tool to fail host address validation. The provided corpus does not include exploit details, mitigation steps, or confirmation of broader affected versions beyond v0.22.0.
Defensive priority
Medium. The issue is network-reachable and unauthenticated, but the provided CVSS score is 4.7 and the record does not indicate integrity or availability impact. Treat as a focused validation flaw that should be addressed before exposing the product to untrusted HTTP traffic.
Recommended defensive actions
- Verify whether Oracle Macoron Tool v0.22.0 is deployed anywhere in your environment.
- Restrict network exposure of any HTTP endpoint associated with the product until Oracle guidance or a fix is applied.
- Review host-address validation logic and related request handling for this release line.
- Monitor Oracle security advisories and the NVD record for updated remediation guidance.
- If the product is not required, remove or disable the exposed instance rather than leaving it reachable over HTTP.
Evidence notes
Claims in this debrief are limited to the supplied NVD record and the Oracle security-alert reference listed there. The corpus identifies the affected CPE as oracle:macoron:0.22.0, the issue as network-accessible over HTTP, and the consequence as failed host address validation. NVD's status in the provided source was "Undergoing Analysis" as of 2026-05-10. No exploit code, proof-of-concept, or vendor patch details were present in the supplied materials.
Official resources
-
CVE-2026-35253 CVE record
CVE.org
-
CVE-2026-35253 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Not Applicable
Publicly disclosed CVE record. Published 2026-05-06 and modified 2026-05-10 in the supplied source corpus.