Description
Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Manager. While the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Applications Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Internal Operations component of Oracle Applications Manager enables a low‑privileged attacker with network access over HTTP to compromise the application. The vulnerability allows the attacker to take full control over the targeted instance, resulting in loss of confidentiality, integrity, and availability as the entire service can be altered or disabled at the attacker’s discretion.

Affected Systems

Oracle Applications Manager, part of Oracle E‑Business Suite, across versions 12.2.3 through 12.2.15, distributed by Oracle Corporation. The scope change may affect additional related Oracle products that interact with the compromised component.

Risk and Exploitability

The CVSS 3.1 base score of 9.9 indicates a critical severity. The vector AV:N/AC:L/PR:L/UI:N/S:C shows that exploitation is possible over the network by users who require only low privileges and no user interaction. Although the EPSS score is below 1%, meaning the likelihood of exploitation is low, the potential impact warrants urgent attention. The vulnerability is not catalogued in CISA KEV catalog at this time.

Generated by OpenCVE AI on June 17, 2026 at 19:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Oracle patch or upgrade to a non‑affected version (12.2.16 or later) as outlined in Oracle’s security alert for CVE-2026-46933
  • Restrict HTTP access to the Oracle Applications Manager interface to trusted network segments or authorized users only
  • Implement monitoring and alerting on anomalous traffic targeting the Internal Operations component to detect potential exploitation attempts

Generated by OpenCVE AI on June 17, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Manager. While the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Applications Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle applications Manager
CPEs cpe:2.3:a:oracle:applications_manager:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle applications Manager
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Applications Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-16T19:27:56.406Z

Reserved: 2026-05-18T15:55:10.312Z

Link: CVE-2026-46933

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T03:15:02Z

Weaknesses

No weakness.