Skip to main content
CVE-2026-46875 CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library component, where a high-privileged attacker with HTTPS network access can fully compromise the platform and pivot into other managed Oracle products through a scope change. No public exploit identified at time of analysis, but the CVSS 3.1 score of 9.1 reflects severe confidentiality, integrity, and availability impact across multiple downstream systems. Patched via Oracle Critical Patch Update advisory cspujun2026.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-46809 CRITICAL Act Now

Unauthenticated remote compromise of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to read, create, modify, or delete all data accessible to the application. Oracle rates this as easily exploitable with no privileges or user interaction required (CVSS 9.1), and no public exploit identified at time of analysis. The flaw is tagged as an authentication bypass affecting the WebCenter Sites component of Oracle Fusion Middleware.

Authentication Bypass Oracle Oracle Webcenter Sites
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-46784 CRITICAL Act Now

Unauthenticated remote compromise of Oracle WebCenter Content: Imaging (component: Core) in Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0 allows attackers to read and modify all data accessible to the Imaging service over HTTP. The flaw is rated CVSS 9.1 with high confidentiality and integrity impact but no availability impact, and Oracle classifies it as easily exploitable. No public exploit identified at time of analysis, and the CVE is not currently listed on CISA KEV.

Authentication Bypass Oracle Webcenter Content
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-46777 CRITICAL Act Now

Unauthenticated remote compromise of Oracle WebCenter Content (Fusion Middleware Content Server) in versions 12.2.1.4.0 and 14.1.2.0.0 allows network-based attackers to read, create, modify, or delete any data accessible to the Content Server via HTTP. The flaw carries a CVSS 3.1 base score of 9.1 with high confidentiality and integrity impact, no authentication, and low attack complexity. No public exploit identified at time of analysis, but Oracle's tagging as an authentication-bypass class issue and the trivial exploitability profile make it a high-priority patch target.

Authentication Bypass Oracle Oracle Webcenter Content
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-46949 CRITICAL Act Now

Remote unauthenticated compromise of Oracle Advanced Outbound Telephony (Oracle E-Business Suite, Internal Operations component) versions 12.2.3 through 12.2.15 allows attackers to read, create, modify, or delete all data accessible to the application via HTTP. Oracle rates the issue 9.1 (CVSS 3.1) due to network attack vector with no authentication and high confidentiality and integrity impact, though availability is unaffected. No public exploit identified at time of analysis, but the trivial exploitability and EBS exposure profile make it a priority patch.

Authentication Bypass Oracle Oracle Advanced Outbound Telephony
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-46930 CRITICAL Act Now

Remote unauthenticated compromise of Oracle In-Memory Cost Management for Discrete Industries (Oracle E-Business Suite versions 12.2.12 through 12.2.15) allows network-based attackers to read, modify, create, or delete all data accessible to the product via HTTPS. The flaw carries a CVSS 3.1 base score of 9.1 with high confidentiality and integrity impact but no availability impact, and no public exploit has been identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update advisory cspujun2026.

Authentication Bypass Oracle Oracle In Memory Cost Management For Discrete Industries
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-46892 CRITICAL Act Now

Unauthenticated remote compromise of Oracle JD Edwards EnterpriseOne Human Resources Management 9.2 allows network attackers to read and modify all data accessible through the Human Resources component via crafted HTTP requests. Oracle rates this CVSS 9.1 with high confidentiality and integrity impact but no availability impact, and labels it 'easily exploitable.' No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Oracle Jd Edwards Enterpriseone Human Resources Management
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-20706 CRITICAL PATCH GHSA Act Now

{owner}/{repo}/archive/* accepts OAuth2 tokens but never validates the token's scope, unlike the equivalent API and git-HTTP paths. The issue was found via variant analysis of prior fix PR #37698, is fixed in 1.26.2, and carries a low EPSS (0.26%, 17th percentile) with no public exploit identified at time of analysis beyond the reproduction steps published in the GHSA advisory.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-12316 CRITICAL PATCH Act Now

Security mitigation bypass in the DOM: Security component of Mozilla Firefox prior to version 152 allows remote attackers to compromise confidentiality and integrity of browser-rendered content without user interaction. The flaw carries a critical CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N) and is tagged as an Authentication Bypass class issue, though no public exploit identified at time of analysis. The vulnerability has been patched by Mozilla in Firefox 152 per MFSA2026-57/MFSA2026-60.

Authentication Bypass Mozilla Suse Red Hat
NVD VulDB
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-12315 CRITICAL PATCH Act Now

Security mitigation bypass in the DOM: Security component of Mozilla Firefox allows remote attackers to circumvent browser security controls, with high impact to confidentiality and integrity. The flaw affects Firefox versions prior to 152 and Firefox ESR prior to 140.12, with no public exploit identified at time of analysis. Given the CVSS 9.1 rating and network-reachable attack vector, any user browsing a malicious page is potentially exposed.

Authentication Bypass Mozilla Red Hat Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-12304 CRITICAL PATCH Act Now

Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.

Authentication Bypass Mozilla Red Hat Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-35320 CRITICAL Act Now

Remote takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible through the Content Server component, allowing an unauthenticated network attacker to fully compromise the product with cascading impact to other Oracle Fusion Middleware components due to a scope change. Oracle assigned a CVSS 3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), and no public exploit identified at time of analysis. The high attack complexity tempers the otherwise critical rating, but a successful exploit yields complete takeover.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
9.0
EPSS
0.4%
CVE-2026-46872 CRITICAL Act Now

Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authenticated, high-privileged attacker over HTTPS to modify or destroy critical data, read a subset of data, and trigger a complete denial of service, with scope change extending impact to additional products. Oracle rates the issue CVSS 3.1 9.0 and there is no public exploit identified at time of analysis, but the scope-change behavior and broad impact warrant prompt patching during the next Oracle CPU window.

Denial Of Service Oracle Oracle Enterprise Manager Base Platform
NVD
CVSS 3.1
9.0
EPSS
0.4%
CVE-2026-54305 HIGH PATCH GHSA This Week

Cross-tenant credential takeover in n8n Enterprise allows any authenticated user to hijack OAuth credentials belonging to other tenants when the Dynamic Credentials feature is enabled. Three EE endpoints failed to enforce per-resource ownership checks, letting attackers enumerate credentials across private workflows, overwrite stored OAuth tokens with attacker-controlled tokens, or revoke victim tokens entirely. No public exploit identified at time of analysis, but the issue has a high CVSS 4.0 score of 8.9 and a vendor advisory confirms the flaw.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.3%
CVE-2026-5416 HIGH This Week

Command injection in Turck TBEN-LL-SE-M2, TBEN-L4-SE-M2, and TBEN-L5-SE-M2 Managed Ethernet Switches allows an authenticated low-privileged remote attacker to achieve full system compromise by injecting shell metacharacters into a name parameter. The flaw, reported by CERT@VDE, carries a CVSS 8.8 rating with no public exploit identified at time of analysis and is not currently listed in CISA KEV.

Command Injection Tben Ll Se M2 Tben L4 Se M2 Tben L5 Se M2
NVD
CVSS 4.0
8.7
EPSS
1.3%
CVE-2026-6933 HIGH This Week

Remote code execution in the Premmerce Dev Tools WordPress plugin (versions ≤ 2.0) allows authenticated users with Subscriber-level access or higher to write arbitrary PHP files into wp-content/plugins/ by injecting payloads into the premmerce_plugin_namespace POST parameter. The flaw stems from a missing authorization check in generatePluginHandler combined with unsanitized string substitution in createFromStub, enabling attackers to escape the namespace context with a semicolon and execute arbitrary PHP on the host. No public exploit identified at time of analysis, but the low privilege barrier and the high-impact CVSS 8.8 score make this a serious risk on sites with open registration.

File Upload PHP WordPress RCE Premmerce Dev Tools
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-44932 HIGH PATCH This Week

Command injection in openSUSE/SUSE wicked DHCP client before 0.6.79 allows attackers operating a rogue DHCP server on the victim's local network segment to execute arbitrary commands by embedding single-quoted shell metacharacters in DHCP option strings, which are written unsanitized to /run/wicked/leaseinfo.* files and later consumed by netconfig. The CVSS 8.8 (AV:A) rating reflects adjacent-network exposure without authentication. No public exploit identified at time of analysis.

Command Injection Wicked Red Hat
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-46916 HIGH This Week

Account takeover of Oracle Process Manufacturing Product Development (versions 12.2.3-12.2.15) is achievable by a low-privileged remote attacker over HTTP via the Quality Management Specs component. The flaw scores CVSS 8.8 with full confidentiality, integrity, and availability impact, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Oracle Oracle Process Manufacturing Product Development Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-46864 HIGH This Week

Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen component, where a low-privileged attacker with SSH network access can fully compromise confidentiality, integrity, and availability. Oracle rates this 8.8 and describes it as easily exploitable, but no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The single source is Oracle's June 2026 Critical Patch Update advisory, which is the authoritative reference for affected versions and fixes.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-46780 HIGH This Week

Account takeover in Oracle WebCenter Content: Imaging (Fusion Middleware) allows a low-privileged authenticated attacker with HTTP network access to fully compromise the Imaging component on versions 12.2.1.4.0 and 14.1.2.0.0. Oracle rates the flaw CVSS 8.8 with high impact across confidentiality, integrity, and availability, and describes it as 'easily exploitable.' No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Oracle Authentication Bypass Webcenter Content
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35325 HIGH This Week

Privilege escalation to full product takeover in Oracle WebCenter Content (Content Server component) versions 12.2.1.4.0 and 14.1.2.0.0 allows low-privileged attackers with HTTP network access to fully compromise the system. The CVSS 3.1 base score of 8.8 reflects high impact across confidentiality, integrity, and availability with low attack complexity. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35324 HIGH This Week

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 (Content Server component) allows a low-privileged authenticated attacker with HTTP network access to fully compromise the product, impacting confidentiality, integrity, and availability. Oracle rates this 8.8 (CVSS 3.1) and describes it as 'easily exploitable.' No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35322 HIGH This Week

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker to fully compromise the Content Server over HTTP. Oracle's June 2026 Critical Patch Update rates this 8.8 with complete confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis.

Oracle Oracle Webcenter Content Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35318 HIGH This Week

Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker with HTTP access to fully compromise the product. The flaw is rated CVSS 8.8 with high impact across confidentiality, integrity, and availability, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35317 HIGH POC This Week

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged attacker with HTTP network access to fully compromise the Content Server component. Oracle rates the flaw 8.8 with high impact across confidentiality, integrity and availability, and characterizes it as easily exploitable. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the vendor's 'takeover' wording and low complexity make this a priority patch.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35315 HIGH This Week

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 (Content Server component) lets a low-privileged remote attacker fully compromise the platform over HTTP without user interaction. Oracle's own CVSS 3.1 score of 8.8 reflects high impact across confidentiality, integrity, and availability, and there is no public exploit identified at time of analysis. Disclosed via the Oracle Critical Security Patch Update advisory (cspujun2026), making this a vendor-confirmed flaw rather than third-party speculation.

Oracle Oracle Webcenter Content Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35311 HIGH This Week

Authenticated remote code execution in Oracle WebLogic Server 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged attacker with HTTP access to fully take over the server, per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 8.8 reflects full confidentiality, integrity, and availability impact with low attack complexity. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35303 HIGH This Week

Authenticated remote takeover in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 via the Console component allows a low-privileged attacker with HTTP network access to fully compromise the server. Oracle rates the flaw CVSS 8.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The advisory was published in Oracle's June 2026 Critical Patch Update, making this a priority patching item for enterprise middleware operators.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35299 HIGH This Week

Authenticated takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is achievable through the administrative Console component, where a low-privileged HTTP-authenticated attacker can fully compromise confidentiality, integrity, and availability of the server. Oracle reports the issue as easily exploitable and rates it CVSS 8.8, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV. The flaw poses a significant risk to enterprise Java EE deployments where the WebLogic Console is reachable by any authenticated user.

Oracle Weblogic Server Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35267 HIGH This Week

Account takeover in Oracle Identity Manager (Fusion Middleware) versions 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the Identity Manager instance via its REST WebServices component over HTTP. Oracle rates the flaw CVSS 8.8 with high impact to confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because Identity Manager governs enterprise identity lifecycle and provisioning, successful exploitation has cascading impact across downstream applications it manages.

Oracle Identity Manager Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35265 HIGH This Week

Account takeover in Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker with HTTP access to fully compromise the Identity Manager component of Oracle Fusion Middleware. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, successful exploitation results in takeover of the identity governance platform itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Identity Manager Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-24909 HIGH PATCH This Week

Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Microsoft RCE Dell Openmanage
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46973 HIGH This Week

Account takeover in Oracle Outsourced Mfg for Discrete Industries (component: Internal Operations) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker to fully compromise the module over HTTP. With CVSS 3.1 base score 8.8 and high impact on confidentiality, integrity, and availability, this is a high-priority patching item, though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Oracle Oracle Outsourced Mfg For Discrete Industries Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46972 HIGH This Week

Full takeover of Oracle Outsourced Mfg for Discrete Industries (component: Internal Operations) is achievable by a low-privileged authenticated attacker over HTTP, per Oracle's June 2026 Critical Patch Update advisory. The CVSS 3.1 base score of 8.8 reflects high impact across confidentiality, integrity, and availability with low attack complexity, though no public exploit identified at time of analysis. Affected versions span 12.2.3 through 12.2.15 of Oracle E-Business Suite.

Oracle Oracle Outsourced Mfg For Discrete Industries Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46967 HIGH This Week

Authorization flaw in Oracle Public Sector Financials (International) versions 12.2.3 through 12.2.15 enables low-privileged authenticated attackers with HTTP network access to fully take over the affected component. Oracle's Critical Patch Update describes the issue as easily exploitable with high impact to confidentiality, integrity, and availability (CVSS 8.8). No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Oracle Oracle Public Sector Financials International Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46965 HIGH This Week

Account takeover in Oracle Universal Work Queue (Oracle E-Business Suite 12.2.3 through 12.2.15) allows a low-privileged attacker with HTTP network access to fully compromise the Work Provider Site Level Administration component. Oracle rates this as easily exploitable with full confidentiality, integrity, and availability impact (CVSS 3.1 base 8.8), though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Oracle Oracle Universal Work Queue Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46962 HIGH This Week

Authenticated takeover of Oracle Project Portfolio Analysis (E-Business Suite versions 12.2.3 through 12.2.15) is possible over HTTP, allowing a low-privileged attacker to fully compromise the application's confidentiality, integrity, and availability. Oracle rates this as easily exploitable with a CVSS 3.1 base score of 8.8, though no public exploit identified at time of analysis. The flaw resides in the Internal Operations component and was disclosed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Project Portfolio Analysis Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46961 HIGH This Week

Account takeover in Oracle Project Portfolio Analysis (E-Business Suite component Internal Operations) versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the module over HTTP. Oracle's June 2026 Critical Patch Update rates the issue 8.8 with high confidentiality, integrity, and availability impacts, and the CVSS vector flags it as easily exploitable; no public exploit identified at time of analysis and the issue is not on CISA KEV.

Oracle Oracle Project Portfolio Analysis Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46952 HIGH This Week

Account takeover in the Oracle Quality module of Oracle E-Business Suite 12.2.3 through 12.2.15 allows a low-privileged attacker with HTTP network access to fully compromise the Quality component, impacting confidentiality, integrity, and availability (CVSS 3.1 8.8). The flaw resides in the Internal Operations component and is rated easily exploitable by Oracle's own advisory, though no public exploit identified at time of analysis and the issue is not yet listed in CISA KEV.

Oracle Oracle Quality Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46951 HIGH This Week

Account takeover of the Oracle Quality module in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the component over HTTP. Per the vendor's June 2026 Critical Patch Update advisory the issue is rated CVSS 8.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Risk is elevated for internet- or intranet-exposed EBS deployments because exploitation is rated 'easily exploitable' and only requires a valid low-privilege session.

Oracle Oracle Quality Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46950 HIGH This Week

Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite component, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker with HTTP access to fully compromise the product's confidentiality, integrity, and availability. Oracle has published a fix in the June 2026 Critical Patch Update, and the CVSS 3.1 base score of 8.8 reflects an easily exploitable network-borne flaw, though no public exploit identified at time of analysis and EPSS data was not provided.

Oracle Oracle Advanced Outbound Telephony Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46947 HIGH This Week

Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the component over HTTP. The Internal Operations component is exposed to authenticated users with network reach, and successful exploitation yields high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Advanced Outbound Telephony Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46942 HIGH This Week

Takeover of Oracle Process Manufacturing Process Planning (versions 12.2.3 through 12.2.15) is achievable by a low-privileged remote attacker over HTTP through the Internal Operations component of Oracle E-Business Suite. The flaw carries a CVSS 3.1 base score of 8.8 with full confidentiality, integrity, and availability impact, and Oracle has classified it as easily exploitable. There is no public exploit identified at time of analysis, but the low complexity and minimal authentication threshold make it a high-priority patching target for any EBS deployment.

Oracle Oracle Process Manufacturing Process Planning Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46940 HIGH This Week

Remote takeover of Oracle Cost Management (component: Cost Planning) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by a low-privileged attacker over HTTP, yielding full compromise of confidentiality, integrity, and availability (CVSS 8.8). The advisory was published in Oracle's June 2026 Critical Patch Update and no public exploit identified at time of analysis. Because the EBS Cost Management module is commonly reachable from internal corporate networks by any authenticated EBS user, the low privilege requirement (PR:L) makes this a credible insider/post-foothold escalation path rather than an unauthenticated internet risk.

Oracle Oracle Cost Management Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46937 HIGH This Week

Account takeover of Oracle iSetup (component of Oracle E-Business Suite 12.2.3 through 12.2.15) is achievable by a low-privileged authenticated attacker reaching the General Ledger Update Transform / Reports component over HTTP. The flaw is rated CVSS 8.8 with full confidentiality, integrity, and availability impact, and no public exploit has been identified at time of analysis. Oracle published the fix in the June 2026 Critical Patch Update.

Oracle Oracle Isetup Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46931 HIGH This Week

Account takeover in Oracle Enterprise Asset Management (Oracle E-Business Suite 12.2.6 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Internal Operations component over HTTP. The flaw carries a CVSS 3.1 base score of 8.8 with high confidentiality, integrity, and availability impacts, and no public exploit identified at time of analysis. Because EBS instances frequently underpin manufacturing and asset-management workflows for large enterprises, successful exploitation could pivot from a foothold account into a full module takeover.

Oracle Oracle Enterprise Asset Management Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46929 HIGH This Week

Account takeover in Oracle Cost Management (E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Cost Planning component over HTTP. The flaw yields high confidentiality, integrity, and availability impact with no user interaction required, and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the low-complexity, network-accessible nature warrants priority patching by EBS operators.

Oracle Oracle Cost Management Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46928 HIGH This Week

Full product takeover of Oracle Spares Management (a module of Oracle E-Business Suite) is achievable by a low-privileged remote attacker over HTTPS, affecting supported versions 12.2.3 through 12.2.15. Oracle rates this 8.8 CVSS with high impact across confidentiality, integrity, and availability, and the vector indicates easy exploitation with no user interaction. There is no public exploit identified at time of analysis, and the CVE is not on CISA KEV.

Oracle Oracle Spares Management Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46921 HIGH This Week

Account takeover in Oracle Siebel CRM Cloud Applications versions 17.0 through 26.5 allows a low-privileged remote attacker to fully compromise the Siebel Cloud Manager component over HTTP. Oracle rates the flaw 8.8 with full CIA impact, and no public exploit identified at time of analysis, but the low attack complexity and low privilege requirement make this a high-priority patch for any internet-exposed Siebel deployment.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46903 HIGH This Week

Authenticated takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the Business Logic Infrastructure Security component, where a low-privileged attacker with HTTP network access can fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 8.8 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and no public exploit identified at time of analysis. The flaw is described as easily exploitable, making it a high-priority patch target for enterprises running affected Tools releases.

Oracle Jd Edwards Enterpriseone Tools Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
Prev Page 4 of 13 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy