CVE Details

CVE-2026-46817 Oracle E-Business Suite Improper Privilege Management Vulnerability
Published: 2026-07-15 CVSS: 9.8 CRITICAL Product: Oracle E-Business Suite Due Date: 2026-07-18

Oracle E-Business Suite contains an improper privilege management vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments.

GitHub PoC

Warning: GitHub PoC repositories are unverified. Some may be fake or contain malware. Use caution and review code before running anything.

No GitHub PoC data.

FIRST EPSS

EPSS estimates the probability of exploitation in the next 30 days. Higher values indicate higher likelihood of real-world exploitation.

Timeline

CVE Stalker KEV MITRE GitHub FIRST (EPSS)

MITRE

CVSS

  • Score: 9.8
  • Severity: CRITICAL
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

  • Exploitation: none
  • Automatable: yes
  • Technical Impact: total

References

Show Raw Data
Key Remaining Key Value
dataType CVE_RECORD
dataVersion 5.2
cveMetadata > cveId CVE-2026-46817
cveMetadata > assignerOrgId 43595867-4340-4103-b7a2-9a5208d29a85
cveMetadata > state PUBLISHED
cveMetadata > assignerShortName oracle
cveMetadata > dateReserved 2026-05-18T15:55:10.302Z
cveMetadata > datePublished 2026-05-28T20:17:10.861Z
cveMetadata > dateUpdated 2026-05-29T15:42:19.794Z
containers > cna > providerMetadata > orgId 43595867-4340-4103-b7a2-9a5208d29a85
containers > cna > providerMetadata > shortName oracle
containers > cna > providerMetadata > dateUpdated 2026-05-28T20:17:10.861Z
containers > cna > problemTypes > 0 > descriptions > 0 > lang en-US
containers > cna > problemTypes > 0 > descriptions > 0 > description Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments.
containers > cna > affected > 0 > vendor Oracle Corporation
containers > cna > affected > 0 > product Oracle Payments
containers > cna > affected > 0 > versions > 0 > version 12.2.3
containers > cna > affected > 0 > versions > 0 > status affected
containers > cna > affected > 0 > versions > 0 > lessThanOrEqual 12.2.15
containers > cna > affected > 0 > versions > 0 > versionType custom
containers > cna > cpeApplicability > 0 > nodes > 0 > operator OR
containers > cna > cpeApplicability > 0 > nodes > 0 > negate False
containers > cna > cpeApplicability > 0 > nodes > 0 > cpeMatch > 0 > vulnerable True
containers > cna > cpeApplicability > 0 > nodes > 0 > cpeMatch > 0 > criteria cpe:2.3:a:oracle:payments:*:*:*:*:*:*:*:*
containers > cna > cpeApplicability > 0 > nodes > 0 > cpeMatch > 0 > versionStartIncluding 12.2.3
containers > cna > cpeApplicability > 0 > nodes > 0 > cpeMatch > 0 > versionEndIncluding 12.2.15
containers > cna > descriptions > 0 > lang en-US
containers > cna > descriptions > 0 > value Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
containers > cna > references > 0 > url https://www.oracle.com/security-alerts/cspumay2026.html
containers > cna > references > 0 > name Oracle Advisory
containers > cna > references > 0 > tags > 0 vendor-advisory
containers > cna > metrics > 0 > cvssV3_1 > attackVector NETWORK
containers > cna > metrics > 0 > cvssV3_1 > attackComplexity LOW
containers > cna > metrics > 0 > cvssV3_1 > privilegesRequired NONE
containers > cna > metrics > 0 > cvssV3_1 > userInteraction NONE
containers > cna > metrics > 0 > cvssV3_1 > scope UNCHANGED
containers > cna > metrics > 0 > cvssV3_1 > confidentialityImpact HIGH
containers > cna > metrics > 0 > cvssV3_1 > integrityImpact HIGH
containers > cna > metrics > 0 > cvssV3_1 > availabilityImpact HIGH
containers > cna > metrics > 0 > cvssV3_1 > version 3.1
containers > cna > metrics > 0 > cvssV3_1 > vectorString CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
containers > cna > metrics > 0 > cvssV3_1 > baseScore 9.8
containers > cna > metrics > 0 > cvssV3_1 > baseSeverity CRITICAL
containers > adp > 0 > problemTypes > 0 > descriptions > 0 > type CWE
containers > adp > 0 > problemTypes > 0 > descriptions > 0 > cweId CWE-306
containers > adp > 0 > problemTypes > 0 > descriptions > 0 > lang en
containers > adp > 0 > problemTypes > 0 > descriptions > 0 > description CWE-306 Missing Authentication for Critical Function
containers > adp > 0 > problemTypes > 1 > descriptions > 0 > type CWE
containers > adp > 0 > problemTypes > 1 > descriptions > 0 > cweId CWE-287
containers > adp > 0 > problemTypes > 1 > descriptions > 0 > lang en
containers > adp > 0 > problemTypes > 1 > descriptions > 0 > description CWE-287 Improper Authentication
containers > adp > 0 > problemTypes > 2 > descriptions > 0 > type CWE
containers > adp > 0 > problemTypes > 2 > descriptions > 0 > cweId CWE-269
containers > adp > 0 > problemTypes > 2 > descriptions > 0 > lang en
containers > adp > 0 > problemTypes > 2 > descriptions > 0 > description CWE-269 Improper Privilege Management
containers > adp > 0 > metrics > 0 > other > type ssvc
containers > adp > 0 > metrics > 0 > other > content > timestamp 2026-05-29T15:41:43.972022Z
containers > adp > 0 > metrics > 0 > other > content > id CVE-2026-46817
containers > adp > 0 > metrics > 0 > other > content > options > 0 > Exploitation none
containers > adp > 0 > metrics > 0 > other > content > options > 1 > Automatable yes
containers > adp > 0 > metrics > 0 > other > content > options > 2 > Technical Impact total
containers > adp > 0 > metrics > 0 > other > content > role CISA Coordinator
containers > adp > 0 > metrics > 0 > other > content > version 2.0.3
containers > adp > 0 > title CISA ADP Vulnrichment
containers > adp > 0 > providerMetadata > orgId 134c704f-9b21-4f2e-91b3-4a467353bcc0
containers > adp > 0 > providerMetadata > shortName CISA-ADP
containers > adp > 0 > providerMetadata > dateUpdated 2026-05-29T15:42:19.794Z