CVE-2026-21992: Critical Out-of-Band Oracle Identity Manager and Oracle Web Services Manager Remote Code Execution Vulnerability

Oracle issued an out-of-band security alert for CVE-2026-21992, a critical unauthenticated remote code execution vulnerability (CVSSv3 9.8) affecting Oracle Identity Manager and Oracle Web Services Manager; Oracle released patches for the affected versions, no public proof-of-concept was available at publication, and the alert follows recent in-the-wild exploitation of a related 2025 vulnerability (CVE-2025-61757) that was added to CISA's KEV catalog.