CVE-2026-46837 - Vulnerability Details

Description

Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suite (component: Security). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via SQL to compromise Oracle Flow Manufacturing. Successful attacks of this vulnerability can result in takeover of Oracle Flow Manufacturing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Published: 2026-05-28

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is a SQL injection flaw in the Security component of Oracle Flow Manufacturing, allowing a low‑privileged attacker with network access to inject arbitrary SQL statements. Successful exploitation leads to a complete takeover of the application, compromising the confidentiality, integrity, and availability of all data processed by the system.

Affected Systems

Oracle Flow Manufacturing from Oracle E‑Business Suite, versions 12.2.9 through 12.2.15, are affected by this weakness.

Risk and Exploitability

The CVSS v3.1 base score of 8.8 signals a critical risk. AV:N indicates the flaw is reachable over the network, AC:L shows it can be exploited with minimal effort, and PR:L specifies that low‑privilege credentials are sufficient. The EPSS score of 0.00042 indicates a very low probability of exploitation, though the flaw remains easily exploitable under the described conditions. The vulnerability is not yet cataloged in CISA’s KEV and therefore may not be publicly known as a targeted attack vector.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Flow Manufacturing

affected

Version	Status	Constraints
`12.2.9`	affected	≤ 12.2.15

No data.

Vendor Product Confidence Versions

Oracle

Flow Manufacturing

100%

Version	Status	Scheme	Platform
`[12.2.9,12.2.15]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official Oracle patch that addresses the SQL injection and privilege misuse in 12.2.9–12.2.15, as outlined in the Oracle Security Alert.
Harden database interactions by ensuring all user inputs are validated, using parameterized queries or stored procedures to mitigate the SQL injection weakness (CWE‑89).
Restrict database access to roles that strictly require privileges for the Flow Manufacturing application, and review existing privilege assignments to eliminate excessive rights (CWE‑269).
Implement network segmentation and firewall rules so only trusted administrators can reach the Flow Manufacturing database, reducing exposure for the SQL injection vector.
Monitor SQL query logs and unusual activity patterns to detect possible injection attempts early and audit privilege changes for anomalous behavior.

Generated by OpenCVE AI on May 29, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cspumay2026.html

History

Fri, 29 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Title	SQL Injection Allowing Full Takeover in Oracle Flow Manufacturing
Weaknesses	CWE-89

Fri, 29 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-269
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title		SQL Injection Allowing Full Takeover in Oracle Flow Manufacturing
Weaknesses		CWE-89

Thu, 28 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suite (component: Security). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via SQL to compromise Oracle Flow Manufacturing. Successful attacks of this vulnerability can result in takeover of Oracle Flow Manufacturing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared		Oracle Oracle flow Manufacturing
CPEs		cpe:2.3:a:oracle:flow_manufacturing::::::::
Vendors & Products		Oracle Oracle flow Manufacturing
References		https://www.oracle.com/security-alerts/cspumay2026.html
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Oracle Flow Manufacturing

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-05-28T20:17:16.267Z

Updated: 2026-05-29T15:32:42.188Z

Reserved: 2026-05-18T15:55:10.305Z

Link: CVE-2026-46837

Vulnrichment

Updated: 2026-05-29T15:32:36.989Z

NVD

Status : Awaiting Analysis

Published: 2026-05-28T21:16:33.573

Modified: 2026-05-29T16:16:30.673

Link: CVE-2026-46837

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T18:45:05Z

Weaknesses

CWE-269

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object