Description
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Easily exploitable input validation weakness (CWE‑79) in the Metadata Plugin of Oracle Enterprise Manager Base Platform allows an unauthenticated attacker with network access over HTTP to compromise the platform. The vulnerability requires human interaction from another individual, as stated in the CVE description. Successful exploitation can result in full takeover of the platform, compromising confidentiality, integrity and availability.

Affected Systems

This affects Oracle Enterprise Manager Base Platform versions 13.5 and 24.1. The issue is confined to the Metadata Plugin component but can impact other integrated products due to the change of scope.

Risk and Exploitability

The CVSS 3.1 base score of 9.6 indicates a critical severity, while an EPSS score below 1% suggests a low probability of exploitation under current conditions. The vulnerability is not listed in CISA’s KEV catalog, and successful attacks require human interaction from another individual, as stated in the CVE description. Nonetheless, the potential impact of complete platform compromise warrants immediate attention.

Generated by OpenCVE AI on June 18, 2026 at 23:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle Enterprise Manager Base Platform patch that contains the fix for CVE-2026-46853.
  • Restrict HTTP access to the Metadata Plugin endpoint to privileged users or internal networks, or implement firewall rules to block unauthorized traffic.
  • Configure logging and monitor for suspicious HTTP requests targeting the plugin; investigate any anomalous activity.

Generated by OpenCVE AI on June 18, 2026 at 23:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access in Oracle Enterprise Manager Metadata Plugin Enables Platform Takeover

Thu, 18 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Exploit in Oracle Enterprise Manager Metadata Plugin Causing Full Platform Takeover
Weaknesses CWE-285

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Exploit in Oracle Enterprise Manager Metadata Plugin Causing Full Platform Takeover
Weaknesses CWE-285
CWE-79
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle enterprise Manager Base Platform
CPEs cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:24.1:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle enterprise Manager Base Platform
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Enterprise Manager Base Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T14:22:57.361Z

Reserved: 2026-05-18T15:55:10.306Z

Link: CVE-2026-46853

cve-icon Vulnrichment

Updated: 2026-06-17T14:16:39.701Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')