SB20260120163 - Multiple vulnerabilities in Oracle Hospitality OPERA 5 Property Services
Published: January 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Uncontrolled Recursion (CVE-ID: CVE-2025-48924)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. A remote attacker can trigger uncontrolled recursion and perform a denial of service (DoS) attack.
2) Improper input validation (CVE-ID: CVE-2026-21966)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Opera component in Oracle Hospitality OPERA 5 Property Services. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
3) Resource exhaustion (CVE-ID: CVE-2025-48976)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
4) Improper input validation (CVE-ID: CVE-2026-21967)
The vulnerability allows a remote non-authenticated attacker to read, manipulate or delete data.
The vulnerability exists due to improper input validation within the Opera Servlet component in Oracle Hospitality OPERA 5 Property Services. A remote non-authenticated attacker can exploit this vulnerability to read, manipulate or delete data.
Remediation
Install update from vendor's website.