PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46965 Oracle Corporation CVE debrief

A vulnerability exists in Oracle Universal Work Queue, a component of Oracle E-Business Suite. The affected versions are 12.2.3-12.2.15. This vulnerability allows a low-privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue, potentially leading to its takeover. The CVSS 3.1 Base Score is 8.8, indicating high severity with impacts on Confidentiality, Integrity, and Availability. The vulnerability is easily exploitable and allows a low-privileged attacker with network access via HTTP to compromise the product. Successful attacks can result in the takeover of Oracle Universal Work Queue.

Vendor
Oracle Corporation
Product
Oracle Universal Work Queue
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-18
Advisory published
2026-06-17
Advisory updated
2026-06-18

Who should care

Organizations using Oracle E-Business Suite versions 12.2.3-12.2.15 should prioritize patching this vulnerability. The vulnerability's high CVSS score and potential for takeover of Oracle Universal Work Queue make it critical for security teams to address. Security teams, vulnerability management teams, and operators of Oracle E-Business Suite should review and address this vulnerability.

Technical summary

The vulnerability in Oracle Universal Work Queue, a component of Oracle E-Business Suite, is easily exploitable and allows a low-privileged attacker with network access via HTTP to compromise the product. Successful attacks can result in the takeover of Oracle Universal Work Queue. The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, with a Base Score of 8.8. The affected versions are 12.2.3-12.2.15. To address this vulnerability, defenders should verify the affected scope, severity, and vendor guidance, and consider applying patches or mitigations as recommended by Oracle.

Defensive priority

High

Recommended defensive actions

  • Apply the patch from Oracle as soon as possible
  • Review and limit network access to Oracle Universal Work Queue
  • Monitor for suspicious activity related to Oracle Universal Work Queue
  • Ensure that the Oracle E-Business Suite is updated to a version that is not vulnerable
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-17T10:54:15.673Z and was last modified on 2026-06-18T22:20:33.020Z. The NVD entry is currently Analyzed. The vulnerability affects Oracle Universal Work Queue, a component of Oracle E-Business Suite, with versions 12.2.3-12.2.15 being vulnerable. The CVSS 3.1 Base Score is 8.8, indicating high severity with impacts on Confidentiality, Integrity, and Availability. Defenders should verify the affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T10:54:15.673Z and has not been modified since then. The NVD entry is currently Analyzed.