CVE-2026-46900 - Vulnerability Details

Description

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Published: 2026-06-16

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Oracle Enterprise Command Center Framework contains a vulnerability that can be easily exploited by an attacker who has low privileges and simple network access via HTTPS. When successfully leveraged, the flaw compromising its confidentiality, integrity and availability. The CVSS vector indicates that no user interaction is needed and the attack can be performed remotely with minimal effort, resulting in full system takeover.

Affected Systems

Oracle Corporation’s Oracle Enterprise Command Center Framework, specifically versions 15 and 16, are affected. The vulnerability resides in the Core component of Oracle E‑Business Suite.

Risk and Exploitability

The severity is extremely high with a CVSS score of 9.9. The EPSS score is below 1%, indicating a low but not negligible exploitation probability. It is not listed in CISA’s KEV catalog. The attack vector is anticipated to be a remote HTTPS request from a network‑local attacker with low privileges, exploiting the lack of sufficient access control to execute arbitrary commands.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Enterprise Command Center Framework

affected

Version	Status	Constraints
`V15`	affected	—
`V16`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Enterprise Command Center Framework

100%

Version	Status	Scheme	Platform
`V15`	affected	generic	—
`V16`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the Oracle security alert released for the latest patch and apply it to version 15 or 16 immediately.
If a patch is not yet available, upgrade the product to a newer, supported version that does not contain the vulnerability.
Restrict inbound HTTPS traffic to the Oracle Enterprise Command Center Framework to only trusted networks and monitor for abnormal activity.

Generated by OpenCVE AI on June 17, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00479.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle enterprise Command Center Framework
CPEs		cpe:2.3:a:oracle:enterprise_command_center_framework:v15:::::::* cpe:2.3:a:oracle:enterprise_command_center_framework:v16:::::::*
Vendors & Products		Oracle Oracle enterprise Command Center Framework
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Enterprise Command Center Framework

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:47.099Z

Updated: 2026-06-17T13:38:14.177Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46900

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T00:30:15Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object