Skip to main content

Oracle Enterprise Manager EUVDEUVD-2026-37346

| CVE-2026-46853 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 oracle
9.6
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.6 CRITICAL

Network-reachable HTTP endpoint with no attacker credentials but required victim interaction; Metadata Plugin flaw produces scope change with full takeover of OEM and managed products.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:44 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

AnalysisAI

Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to fully compromise the management platform - and potentially additional managed products - by tricking an authenticated user into interacting with a malicious HTTP-delivered payload targeting the Metadata Plugin component. The CVSS 3.1 base score is 9.6 with a scope change reflecting impact beyond the vulnerable component, and at time of analysis no public exploit identified at time of analysis. Because Oracle Enterprise Manager centrally controls fleets of Oracle databases, middleware, and infrastructure, successful exploitation has outsized blast-radius implications for downstream Oracle estates.

Technical ContextAI

Oracle Enterprise Manager (OEM) Base Platform is Oracle's flagship on-premises management console for monitoring and administering Oracle databases, Fusion Middleware, Engineered Systems, and hosts. The flaw resides in the Metadata Plugin component, which handles plugin-supplied metadata definitions consumed by the OEM console and agents over HTTP. No CWE is assigned in the input, but the combination of network attack vector, required user interaction, and scope change is characteristic of a client-side or server-side processing weakness (for example metadata injection, deserialization, or XSS-to-privileged-action chain) where a victim user's authenticated session is leveraged to perform actions whose effects cross into other Oracle products managed by OEM. The CPE 'cpe:2.3:a:oracle_corporation:oracle_enterprise_manager_base_platform' confirms the Base Platform itself - not a specific plug-in pack - is the vulnerable component.

RemediationAI

Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (cspujun2026) to OEM Base Platform 13.5 and 24.1 as soon as a maintenance window allows; exact patch bundle identifiers are listed in the advisory at https://www.oracle.com/security-alerts/cspujun2026.html - patch available per vendor advisory, no standalone fixed build number is specified in the input. Until patches are applied, restrict the OEM console and agent HTTP/HTTPS endpoints to a dedicated management VLAN or jump-host network so unauthenticated attackers cannot reach them (trade-off: breaks remote admin from user workstations and may require VPN reconfiguration), require admins to use isolated browser profiles dedicated to OEM and avoid following untrusted links while logged in to mitigate the UI:R requirement, and monitor OEM audit logs for unexpected metadata plugin uploads or administrative actions. Avoid disabling the Metadata Plugin component itself, as OEM relies on it for normal operation.

CVE-2026-46855 CRITICAL
9.9 Jun 16

Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker v

CVE-2026-46852 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata P

CVE-2026-46854 CRITICAL
9.9 Jun 16

Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management compo

CVE-2026-46832 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework

CVE-2026-46857 CRITICAL
9.8 Jun 16

Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network a

CVE-2026-46856 CRITICAL
9.6 Jun 16

Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker ov

CVE-2026-46875 CRITICAL
9.1 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library comp

CVE-2026-46872 CRITICAL
9.0 Jun 16

Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authe

CVE-2026-46864 HIGH
8.8 Jun 16

Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen compo

CVE-2026-46866 HIGH
8.2 Jun 16

Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthentica

CVE-2026-46865 HIGH
8.2 Jun 16

Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component)

CVE-2026-46868 HIGH
7.2 Jun 16

Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-

Share

EUVD-2026-37346 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy