Skip to main content

Oracle iSetup CVE-2026-46937

| EUVDEUVD-2026-37252 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable HTTP endpoint (AV:N), no special conditions beyond a low-privileged EBS account (AC:L, PR:L), no user interaction, and Oracle states full takeover of iSetup yielding C:H/I:H/A:H within the same authorization scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:02 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle iSetup product of Oracle E-Business Suite (component: General Ledger Update Transform, Reports). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iSetup. Successful attacks of this vulnerability can result in takeover of Oracle iSetup. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover of Oracle iSetup (component of Oracle E-Business Suite 12.2.3 through 12.2.15) is achievable by a low-privileged authenticated attacker reaching the General Ledger Update Transform / Reports component over HTTP. The flaw is rated CVSS 8.8 with full confidentiality, integrity, and availability impact, and no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-priv EBS credential
Delivery
Reach iSetup HTTP endpoint
Exploit
Submit crafted General Ledger Transform request
Execution
Trigger iSetup vulnerability
Persist
Take over iSetup module
Impact
Read/modify GL configuration data

Vulnerability AssessmentAI

Exploitation Attacker must reach the Oracle E-Business Suite application tier over HTTP/HTTPS and hold a valid EBS user account with sufficient responsibility to invoke the Oracle iSetup module's General Ledger Update Transform or Reports functionality (PR:L per Oracle's vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean toward meaningful enterprise risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has phished or password-sprayed a low-privilege EBS user account with iSetup access logs into the EBS application tier over HTTPS, navigates to (or directly POSTs to) the General Ledger Update Transform / Reports endpoint, and submits a crafted request that abuses the vulnerable component to gain full control of the iSetup module - reading and modifying General Ledger configuration migrations and pivoting deeper into the EBS instance. No user interaction by another party is required, and no public POC has been observed at time of analysis.
Remediation Apply the Oracle June 2026 Critical Patch Update for E-Business Suite as described at https://www.oracle.com/security-alerts/cspujun2026.html (Patch available per vendor advisory; the CPU bundles the iSetup fix for all supported 12.2.x lines). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Oracle E-Business Suite 12.2.3 through 12.2.15 instances and disable HTTP access to iSetup components; restrict to HTTPS and authorized networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy