PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46938 Oracle Corporation CVE debrief

A high-severity vulnerability was discovered in Oracle Cost Management, a product of Oracle E-Business Suite. The vulnerability, tracked as CVE-2026-46938, has a CVSS score of 7.2 and can be easily exploited by a high-privileged attacker with network access via HTTP, potentially leading to a takeover of Oracle Cost Management. The vulnerability is located in the Cost Planning component. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating a high impact on confidentiality, integrity, and availability.

Vendor
Oracle Corporation
Product
Oracle Cost Management
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-18
Advisory published
2026-06-17
Advisory updated
2026-06-18

Who should care

Organizations using Oracle Cost Management versions 12.2.3-12.2.15 should prioritize patching this vulnerability to prevent potential exploitation. Affected operators and security teams should review the vulnerability and plan for mitigation. Platform administrators and vulnerability management teams should also be aware of the potential impact.

Technical summary

The vulnerability is located in the Cost Planning component of Oracle Cost Management, a product of Oracle E-Business Suite. It has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating a high impact on confidentiality, integrity, and availability. The vulnerability is easily exploitable and requires high privileges and network access via HTTP. Successful attacks can result in takeover of Oracle Cost Management. Organizations using Oracle Cost Management versions 12.2.3-12.2.15 are affected, specifically those with deployments in managed environments. Affected operators and security teams should review the vulnerability and plan for mitigation, including applying patches provided by Oracle Corporation, restricting network access, monitoring for suspicious activity, reviewing and updating access controls, performing vulnerability scanning and asset inventory, implementing compensating controls for exposed systems, and tracking exceptions and retesting remediated assets.

Defensive priority

High

Recommended defensive actions

  • Apply the patch provided by Oracle Corporation
  • Restrict network access to Oracle Cost Management
  • Monitor for suspicious activity
  • Review and update access controls
  • Perform vulnerability scanning and asset inventory
  • Implement compensating controls for exposed systems
  • Track exceptions and retest remediated assets

Evidence notes

The CVE record was published on 2026-06-17T10:54:13.280Z and last modified on 2026-06-18T21:06:38.987Z. The NVD entry is currently Analyzed. The vulnerability is in Oracle Cost Management, a product of Oracle E-Business Suite, specifically in the Cost Planning component. Evidence is based on the CVE record and NVD entry, which may have limited information. Defenders should verify affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T10:54:13.280Z and has not been modified since then. The NVD entry is currently Analyzed.