CVE-2026-34311

CRITICAL

Oracle Hospitality OPERA 5 Property Services <=5.6.28 - Unauthenticated RCE

Title source: llm
STIX 2.1

Description

Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6 and 5.6.28. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
Oracle Advisory
https://www.oracle.com/security-alerts/cspumay2026.html

Scores

CVSS v3 9.8
EPSS 0.0046
EPSS Percentile 36.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

Status published
Products (10)
oracle/hospitality_opera_5_property_services 5.6.19.24
oracle/hospitality_opera_5_property_services 5.6.22
oracle/hospitality_opera_5_property_services 5.6.25.19
oracle/hospitality_opera_5_property_services 5.6.27.6
oracle/hospitality_opera_5_property_services 5.6.28
Oracle Corporation/Oracle Hospitality OPERA 5 Property Services 5.6.19.24
Oracle Corporation/Oracle Hospitality OPERA 5 Property Services 5.6.22
Oracle Corporation/Oracle Hospitality OPERA 5 Property Services 5.6.25.19
Oracle Corporation/Oracle Hospitality OPERA 5 Property Services 5.6.27.6
Oracle Corporation/Oracle Hospitality OPERA 5 Property Services 5.6.28
Published May 28, 2026
Tracked Since May 29, 2026