CVE-2026-46867 - Vulnerability Details

Description

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Extensibility Framework). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Published: 2026-06-16

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a code injection flaw (CWE-94) within the Extensibility Framework component of Oracle Enterprise Manager Base Platform. A high‑privileged attacker who can connect over HTTPS to the platform can exploit the flaw to override confidentiality, integrity and availability, effectively taking control of the entire system. The CVSS vector shows network proximity, a low effort requirement, high privileges, no user interaction, and full scope impact, implying a serious threat if compromised.

Affected Systems

Affected are Oracle Corporation's Oracle Enterprise Manager Base Platform versions 13.5 and 24.1.

Risk and Exploitability

The CVSS score of 7.2 places the vulnerability in the high‑severity range. The EPSS indicates the exploitation probability is less than 1%, suggesting low random activity but still non‑zero. It is not listed in the CISA KEV catalog, meaning no confirmed exploit has been recorded as of now. The likely attack vector is network‑based via HTTPS, requiring high privileges, so it is mainly relevant for internal adversaries with compromised credentials or elevated access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Enterprise Manager Base Platform

affected

Version	Status	Constraints
`13.5`	affected	—
`24.1`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Enterprise Manager Base Platform

95%

Version	Status	Scheme	Platform
`13.5`	affected	semver	—
`24.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any available vendor patch or upgrade to a newer release of Oracle Enterprise Manager Base Platform that addresses the code injection flaw (CWE‑94) within the Extensibility Framework.
Restrict inbound HTTPS access to the platform to trusted IP addresses or configure firewall rules to limit exposure, thereby reducing the attack surface for the CWE‑94 code injection vulnerability.
Enable detailed auditing and monitor for suspicious activity targeting the extensibility endpoints, alerting on abnormal usage patterns that may indicate exploitation of the CWE‑94 vulnerability.

Generated by OpenCVE AI on June 17, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00465.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Extensibility Framework). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
First Time appeared		Oracle Oracle enterprise Manager Base Platform
CPEs		cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5:::::::* cpe:2.3:a:oracle:enterprise_manager_base_platform:24.1:::::::*
Vendors & Products		Oracle Oracle enterprise Manager Base Platform
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Oracle Enterprise Manager Base Platform

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:37.141Z

Updated: 2026-06-17T14:58:47.662Z

Reserved: 2026-05-18T15:55:10.308Z

Link: CVE-2026-46867

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T23:00:05Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object