CVE-2026-46915 - Vulnerability Details

Description

Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Production). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair and Overhaul. While the vulnerability is in Oracle Complex Maintenance, Repair and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Complex Maintenance, Repair and Overhaul. CVSS 3.1 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

Published: 2026-06-16

Score: 8.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability in the Oracle Complex Maintenance, Repair and Overhaul component of Oracle E‑Business Suite allows a remote attacker to execute arbitrary code and ultimately take control of the system. The flaw exploits the HTTP interface and can be leveraged by a low‑privileged user, leading to full compromise of the affected instance with negative impacts on confidentiality, integrity, and availability.

Affected Systems

Oracle Complex Maintenance, Repair and Overhaul (Oracle E‑Business Suite, component: Production) for versions 12.2.3 through 12.2.15.

Risk and Exploitability

The CVSS v3.1 score of 8.5 indicates a high‑severity vulnerability. The EPSS score of <1% suggests that exploitation is not widespread, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers require network access to the exposed HTTP interface, have low privilege, and require no user interaction. However, the change of scope means successful exploitation may affect additional product components. The combination of a network‑borne vector, low attack complexity, and high impact warrants immediate remedial action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Complex Maintenance, Repair and Overhaul

affected

Version	Status	Constraints
`12.2.3`	affected	≤ 12.2.15

No data.

Vendor Product Confidence Versions

Oracle

Complex Maintenance Repair And Overhaul

95%

Version	Status	Scheme	Platform
`[12.2.3,12.2.15]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Oracle security patch released for CVE-2026-46915 as detailed in the official Oracle advisory.
Restrict or remove external access to the CMRA HTTP interface; if the interface must remain exposed, enforce strict network segmentation and firewall rules to limit access to trusted internal networks.
After applying the patch and tightening network controls, conduct post‑remediation vulnerability scanning and, where feasible, penetration testing to verify that the exploitation path has been closed.

Generated by OpenCVE AI on June 17, 2026 at 17:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0037.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Production). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair and Overhaul. While the vulnerability is in Oracle Complex Maintenance, Repair and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Complex Maintenance, Repair and Overhaul. CVSS 3.1 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle complex Maintenance Repair And Overhaul
CPEs		cpe:2.3:a:oracle:complex_maintenance__repair_and_overhaul::::::::
Vendors & Products		Oracle Oracle complex Maintenance Repair And Overhaul
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Complex Maintenance Repair And Overhaul

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:51.729Z

Updated: 2026-06-17T14:02:04.827Z

Reserved: 2026-05-18T15:55:10.311Z

Link: CVE-2026-46915

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T06:00:05Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object