PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46937 Oracle Corporation CVE debrief

A vulnerability was discovered in Oracle iSetup, a component of Oracle E-Business Suite. The vulnerability affects versions 12.2.3-12.2.15 and has a CVSS score of 8.8, indicating high severity. A low-privileged attacker with network access via HTTP can exploit this vulnerability to compromise Oracle iSetup, potentially leading to takeover. This vulnerability is located in the General Ledger Update Transform, Reports component of Oracle iSetup. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited over the network with low privileges, and can impact confidentiality, integrity, and availability. Organizations should review their deployments and consider applying patches or mitigations.

Vendor
Oracle Corporation
Product
Oracle iSetup
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-18
Advisory published
2026-06-17
Advisory updated
2026-06-18

Who should care

Organizations using Oracle E-Business Suite, specifically those with Oracle iSetup versions 12.2.3-12.2.15, should be aware of this vulnerability and take necessary precautions. This includes reviewing their deployments, applying patches or mitigations, and monitoring network activity for suspicious HTTP requests.

Technical summary

The vulnerability is located in the General Ledger Update Transform, Reports component of Oracle iSetup. It has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited over the network with low privileges, and can impact confidentiality, integrity, and availability. The vulnerability has a CVSS score of 8.8, indicating high severity. A low-privileged attacker with network access via HTTP can exploit this vulnerability to compromise Oracle iSetup.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it can be easily exploited and has a high CVSS score.

Recommended defensive actions

  • Apply the patch or update provided by Oracle Corporation
  • Restrict access to Oracle iSetup to only necessary personnel
  • Monitor network activity for suspicious HTTP requests
  • Implement additional security controls, such as multi-factor authentication
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-17T10:54:13.180Z and was last modified on 2026-06-18T21:06:49.653Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus and may not reflect the full scope of the vulnerability. Further verification is recommended to ensure accurate understanding of the vulnerability's impact.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T10:54:13.180Z and has not been modified since then. The NVD entry is currently Analyzed.