CVE-2026-46895 - Vulnerability Details

Description

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Published: 2026-06-16

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Oracle Enterprise Command Center Framework’s core component contains a vulnerability that is easily exploitable by an attacker with network access over HTTP. An attacker with low privilege can compromise the framework, and due to the scope change, additional products that rely on the framework may also be impacted. Successful exploitation results in full takeover of the affected instance, providing control over all data and functions of the framework.

Affected Systems

The vulnerability affects Oracle Corporation’s Oracle Enterprise Command Center Framework, specifically versions 15 and 16. Users running these releases are at risk.

Risk and Exploitability

The CVSS v3.1 base score of 9.9 indicates a critical threat with Confidentiality, Integrity and Availability impacts, and the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C reflects that a network attacker with low privilege can change the vulnerability’s scope. Although the EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog, the high severity score and the potential for complete takeover warrant immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Enterprise Command Center Framework

affected

Version	Status	Constraints
`V15`	affected	—
`V16`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Enterprise Command Center Framework

95%

Version	Status	Scheme	Platform
`V15`	affected	generic	—
`V16`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Oracle's latest security update for the Enterprise Command Center Framework for both v15 and v16 as detailed in the 2026 Oracle security advisory.
Restrict HTTP access to the framework from untrusted networks, limiting connections to known, authorized hosts until the patch is applied.
Continuously monitor the framework's logs for signs of exploitation attempts.

Generated by OpenCVE AI on June 17, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00479.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle enterprise Command Center Framework
CPEs		cpe:2.3:a:oracle:enterprise_command_center_framework:v15:::::::* cpe:2.3:a:oracle:enterprise_command_center_framework:v16:::::::*
Vendors & Products		Oracle Oracle enterprise Command Center Framework
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Enterprise Command Center Framework

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:45.569Z

Updated: 2026-06-17T13:22:51.305Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46895

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T00:45:04Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object