Description
Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Asset Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in Oracle Enterprise Asset Management allows a low‑privileged attacker who can reach the application over HTTP to fully compromise the system. A successful exploit results in control of the entire component, impacting confidentiality, integrity, and availability of the asset management data. The CVSS 3.1 base score of 8.8 reflects the severity of this takeover.

Affected Systems

Oracle Corporation’s Oracle Enterprise Asset Management product, part of Oracle E‑Business Suite, is affected in versions 12.2.6 through 12.2.15. The vulnerability is specific to the Internal Operations component and is reachable via public or internal HTTP interfaces.

Risk and Exploitability

The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates that network access is sufficient, low effort is required, and no user interaction is necessary. The EPSS score is below 1%, suggesting the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, an attacker with local network presence could exploit the flaw and gain full administrative control. The potential impact on business continuity and data integrity is significant.

Generated by OpenCVE AI on June 17, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch or upgrade supplied by Oracle in the 2026‑June security advisory.
  • Restrict HTTP access to the Internal Operations component to trusted internal hosts or VPNs only.
  • Disable or limit the Internal Operations functionality if not required for business processes.
  • Monitor system logs for unusual authentication or privilege‑escalation activity.

Generated by OpenCVE AI on June 17, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Asset Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle enterprise Asset Management
CPEs cpe:2.3:a:oracle:enterprise_asset_management:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle enterprise Asset Management
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Enterprise Asset Management
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:11:01.227Z

Reserved: 2026-05-18T15:55:10.312Z

Link: CVE-2026-46931

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T00:15:16Z

Weaknesses

No weakness.