PatchSiren cyber security CVE debrief
CVE-2026-46817 Oracle Corporation CVE debrief
A critical unauthenticated remote code execution vulnerability in Oracle E-Business Suite's Payments component (File Transmission) enables complete system takeover. The vulnerability carries a CVSS 3.1 score of 9.8 with network attack vector, low complexity, and no privileges required. Affected versions span 12.2.3 through 12.2.15. Oracle published this vulnerability on May 28, 2026 as part of their Critical Patch Update. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog. Organizations should prioritize patching given the unauthenticated nature and complete CIA triad impact.
- Vendor
- Oracle Corporation
- Product
- Oracle Payments
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running Oracle E-Business Suite 12.2.3 through 12.2.15 with Oracle Payments enabled; financial services and enterprise resource planning administrators; security teams responsible for Oracle application patching programs
Technical summary
The vulnerability exists in the File Transmission component of Oracle Payments within Oracle E-Business Suite. An unauthenticated attacker with network access can exploit this flaw via HTTP to achieve complete compromise of Oracle Payments, resulting in full confidentiality, integrity, and availability impacts. The attack requires no user interaction and no privileges, with low attack complexity. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects network accessibility, trivial exploitation, and complete system impact.
Defensive priority
critical
Recommended defensive actions
- Apply Oracle Critical Patch Update for May 2026 immediately to affected E-Business Suite instances running versions 12.2.3-12.2.15
- Restrict network access to Oracle Payments File Transmission endpoints to authorized administrative hosts only
- Monitor for anomalous HTTP requests to Oracle Payments File Transmission URLs pending patch deployment
- Review Oracle E-Business Suite patch application history to confirm prior Critical Patch Update compliance
- Engage Oracle Support for patch availability confirmation if running customized or extended support versions
Evidence notes
Oracle official security advisory confirms vulnerability details, affected versions, and CVSS scoring. NVD record corroborates publication timing and technical parameters. Vendor identification derived from reference domain analysis with low confidence flag for review.
Official resources
-
CVE-2026-46817 CVE record
CVE.org
-
CVE-2026-46817 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Oracle disclosed this vulnerability on May 28, 2026 via their Critical Patch Update security advisory. The CVE was published to NVD on the same date with vulnerability status 'Received'. No CISA KEV entry exists as of the disclosure date.