PatchSiren cyber security CVE debrief
CVE-2026-46937 Oracle Corporation CVE debrief
A vulnerability was discovered in Oracle iSetup, a component of Oracle E-Business Suite. The vulnerability affects versions 12.2.3-12.2.15 and has a CVSS score of 8.8, indicating high severity. A low-privileged attacker with network access via HTTP can exploit this vulnerability to compromise Oracle iSetup, potentially leading to takeover. This vulnerability is located in the General Ledger Update Transform, Reports component of Oracle iSetup. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited over the network with low privileges, and can impact confidentiality, integrity, and availability. Organizations should review their deployments and consider applying patches or mitigations.
- Vendor
- Oracle Corporation
- Product
- Oracle iSetup
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-18
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-18
Who should care
Organizations using Oracle E-Business Suite, specifically those with Oracle iSetup versions 12.2.3-12.2.15, should be aware of this vulnerability and take necessary precautions. This includes reviewing their deployments, applying patches or mitigations, and monitoring network activity for suspicious HTTP requests.
Technical summary
The vulnerability is located in the General Ledger Update Transform, Reports component of Oracle iSetup. It has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited over the network with low privileges, and can impact confidentiality, integrity, and availability. The vulnerability has a CVSS score of 8.8, indicating high severity. A low-privileged attacker with network access via HTTP can exploit this vulnerability to compromise Oracle iSetup.
Defensive priority
High priority should be given to patching or mitigating this vulnerability, as it can be easily exploited and has a high CVSS score.
Recommended defensive actions
- Apply the patch or update provided by Oracle Corporation
- Restrict access to Oracle iSetup to only necessary personnel
- Monitor network activity for suspicious HTTP requests
- Implement additional security controls, such as multi-factor authentication
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-06-17T10:54:13.180Z and was last modified on 2026-06-18T21:06:49.653Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus and may not reflect the full scope of the vulnerability. Further verification is recommended to ensure accurate understanding of the vulnerability's impact.
Official resources
-
CVE-2026-46937 CVE record
CVE.org
-
CVE-2026-46937 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T10:54:13.180Z and has not been modified since then. The NVD entry is currently Analyzed.