Vulnerability Research
The publicly-disclosed vulnerabilities found by yours truly.
Multiple Vulnerabilities in Oracle Hospitality OPERA 5
Oracle Hospitality OPERA is a property management system (PMS) used by hotels, resorts, and chains to manage daily operations such as reservations, check-ins, room assignments, billing, and revenue. At the time of writing, there are over 500 instances exposed to the public internet. Affected Software: Oracle Hospitality OPERA 5, versions at and below 5.6.19.23, 5.6.25.17, 5.6.26.10, 5.6.27.4, 5.6.28.0.
CVE-2026-21966 (2026-01-20) low / medium advisory[0] writeup.main[1] writeup.mirror[2]
A reflected cross-site scripting (XSS) vulnerability has been identified in Oracle Hospitality OPERA. Attackers can leverage the vulnerability to deliver social engineering attacks and execute client-side code in the victim's browser.
CVE-2026-21967 (2026-01-20) high / critical advisory[0] writeup.main[1] writeup.mirror[2]
A server-side request forgery (SSRF) vulnerability has been identified in Oracle Hospitality OPERA. Attackers can leverage the vulnerability to disclose database credentials, invoke POST requests on arbitrary URLs, and enumerate internal networks. The compromised database accounts are used by the OPERA system for business operations and are thus configured with read/write privileges. This may lead to further disclosure of personally-identifiable information (PII) or disruption of business operations if the attacker has access to the database port.
Multiple Vulnerabilities in Siemens APOGEE/TALON Field Panels
The Siemens APOGEE PXC and TALON TC Series are a collection of field panels used for complex control, monitoring, and energy management within commercial buildings. They interconnect with other components to form a building automation system, often communicating via BACnet over IP. Affected Devices: APOGEE PXC Series (BACnet) (All versions), APOGEE PXC Series (P2 Ethernet) (All versions), TALON TC Series (BACnet) (All versions).
CVE-2024-54089 (2025-02-11) high advisory[3] writeup.main[4] writeup.mirror[5]
Affected devices contain a weak encryption mechanism based on a hard-coded key. This could allow an attacker to guess or decrypt the password from the cyphertext.
CVE-2024-54090 (2025-02-11) medium / high advisory[3] writeup.main[4] writeup.mirror[5]
Affected devices contain an out-of-bounds read in the memory dump function. This could allow an attacker with Medium (MED) or higher privileges to cause the device to enter an insecure cold start state.
CVE-2025-40757 (2025-09-09) high advisory[6] writeup.main[4] writeup.mirror[5]
Affected devices connected to the network allow unrestricted access to sensitive files over BACnet, including a .db file containing encrypted passwords. Can be chained with CVE-2024-54089 to bypass authentication and takeover/shutdown the affected devices.
Notes
The severities (low / medium / high / critical) listed on this page represent my independent opinion of an issue's severity; not based on CVSS but rather on the impact and conditions assuming reasonable scenarios. For instance, an OT (Operational Technology) device may have a higher severity if availability is impacted, due to safety concerns. Certain industries may consider PII disclosure to be high/critical risk due to regulations, but that also depends on the specific PII disclosed. A RCE on a web application intended to be deployed inside an internal network may still be considered critical under an assume-breach scenario— and who's to say some
poor underpaidIT person doesn't expose it to the internet? You would be surprised! In the end, these ratings are just my own opinion and those affected should assess according to their situation.What are the numbers next to the links? Links with the same number mean that they are the same link. For example,
advisory[0]andadvisory[1]are two different links. I do this because some groups have say, multiple advisories but one writeup, but it may not be obvious at first glance. This will probably stay until I work out a better way to visually organise all this.
