CVE-2026-46894 - Vulnerability Details

Description

Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Home Page). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle iSupplier Portal. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle iSupplier Portal. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

Published: 2026-06-16

Score: 8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in the Home Page component of Oracle iSupplier Portal that allows a low‑privileged attacker with HTTPS network access to compromise the portal. The exploit requires a user other than the attacker to interact, indicating a social‑engineering element. Successful exploitation results in full takeover, compromising confidentiality, integrity, and availability of the portal.

Affected Systems

Oracle iSupplier Portal, part of Oracle E‑Business Suite, is affected in versions 12.2.3 through 12.2.15. The product is identified only by its human‑readable name.

Risk and Exploitability

The CVSS 3.1 base score of 8.0 denotes high severity, while the EPSS of less than 1% indicates low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack surface uses HTTPS network connectivity and relies on a low‑privileged attacker persuading an unrelated user, making initial access easier but still dependent on human interaction. Given these conditions, the risk remains high for organizations that expose the portal externally without stringent controls.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle iSupplier Portal

affected

Version	Status	Constraints
`12.2.3`	affected	≤ 12.2.15

No data.

Vendor Product Confidence Versions

Oracle

Isupplier Portal

95%

Version	Status	Scheme	Platform
`[12.2.3,12.2.15]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Restrict external HTTPS access to the Oracle iSupplier Portal to trusted networks and enforce strong, preferably multi‑factor authentication to curb low‑privileged intrusion attempts.
Apply robust CSRF protection and validate all user input to mitigate open redirect and cross‑site request forgery weaknesses, and enforce strict password policies and multi‑factor authentication to address weak password management.
Monitor Oracle’s security alerts and apply any patches or updates for CVE‑2026‑46894 as soon as they become available, even though the current data does not list an official fix.
Conduct user awareness training to help staff recognize phishing or social‑engineering attempts that could trigger the exploit, since the attack requires interaction from a user other than the attacker.

Generated by OpenCVE AI on June 17, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00392.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Wed, 17 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-352 CWE-601 CWE-640
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Home Page). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle iSupplier Portal. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle iSupplier Portal. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
First Time appeared		Oracle Oracle isupplier Portal
CPEs		cpe:2.3:a:oracle:isupplier_portal::::::::
Vendors & Products		Oracle Oracle isupplier Portal
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Oracle Isupplier Portal

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:45.260Z

Updated: 2026-06-17T13:04:55.075Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46894

Vulnrichment

Updated: 2026-06-17T12:19:12.594Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T00:45:04Z

Weaknesses

CWE-352
Cross-Site Request Forgery (CSRF)
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE-640
Weak Password Recovery Mechanism for Forgotten Password

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object