Description
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Extensibility Framework). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a code injection flaw (CWE-94) and an authorization weakness (CWE-269) within the Extensibility Framework component of Oracle Enterprise Manager Base Platform. A high-privileged attacker who can connect over HTTPS to the platform can exploit the flaw to override confidentiality, integrity and availability, effectively taking control of the entire system. The CVSS vector shows network proximity, a low effort requirement, high privileges, no user interaction, and full scope impact, implying a serious threat if compromised.

Affected Systems

Affected are Oracle Corporation's Oracle Enterprise Manager Base Platform versions 13.5 and 24.1.

Risk and Exploitability

The CVSS score of 7.2 places the vulnerability in the high-severity range. The EPSS indicates the exploitation probability is less than 1%, suggesting low random activity but still non-zero. It is not listed in the CISA KEV catalog, meaning no confirmed exploit has been recorded as of now. The likely attack vector is network-based via HTTPS, requiring high privileges, so it is mainly relevant for internal adversaries with compromised credentials or elevated access.

Generated by OpenCVE AI on June 18, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a newer release of Oracle Enterprise Manager Base Platform that addresses the code injection flaw (CWE-94) within the Extensibility Framework.
  • Restrict inbound HTTPS access to the platform to trusted IP addresses or configure firewall rules to limit exposure, thereby reducing the attack surface for the CWE-94 code injection vulnerability.
  • Enable detailed auditing and monitor for suspicious activity targeting the extensibility endpoints, alerting on abnormal usage patterns that may indicate exploitation of the CWE-94 vulnerability.

Generated by OpenCVE AI on June 18, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Extensibility Framework Remote Compromise in Oracle Enterprise Manager
Weaknesses CWE-269
CWE-94
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Extensibility Framework). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle enterprise Manager Base Platform
CPEs cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:24.1:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle enterprise Manager Base Platform
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Enterprise Manager Base Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:56:21.695Z

Reserved: 2026-05-18T15:55:10.308Z

Link: CVE-2026-46867

cve-icon Vulnrichment

Updated: 2026-06-17T14:58:43.185Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:00:14Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')