CVE-2026-46817
CRITICAL · 9.8 EPSS 0.4%Active exploitation credibly reported by threat intel; no KEV listing yet; patch issued; real defender triage signal but PoC not confirmed.
What: Unauthenticated remote code execution / takeover in Oracle E-Business Suite Payments (File Transmission component), versions 12.2.3–12.2.15. CVSS 9.8 CRITICAL, EPSS 0.34%.
Why it matters: Multiple threat intelligence sources report active exploitation in the wild. Oracle patched in May 2026; unpatched deployments remain vulnerable to complete compromise without authentication. Social chatter emphasizes in-the-wild attacks and low barrier to entry (no user interaction required).
Where it's seen: Security news sites (Bleeping Computer), threat intel vendors (Defused), security blogs, and international media amplifying "actively exploited" claims. No public PoC confirmed in posts, but consistent reporting of live attacks drives practitioner concern.
RISK: CRITICAL — Unauthenticated takeover of financial systems; active exploitation reported; patch available but adoption lagging.
Description
Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Affected versions
- oracle/e-business_suite
- 12.2.3 – 12.2.15