Skip to main content

Oracle Cost Management

3 CVEs product

Monthly

CVE-2026-46940 HIGH This Week

Remote takeover of Oracle Cost Management (component: Cost Planning) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by a low-privileged attacker over HTTP, yielding full compromise of confidentiality, integrity, and availability (CVSS 8.8). The advisory was published in Oracle's June 2026 Critical Patch Update and no public exploit identified at time of analysis. Because the EBS Cost Management module is commonly reachable from internal corporate networks by any authenticated EBS user, the low privilege requirement (PR:L) makes this a credible insider/post-foothold escalation path rather than an unauthenticated internet risk.

Oracle Oracle Cost Management Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-46938 HIGH This Week

Full compromise of Oracle Cost Management (component: Cost Planning) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, resulting in takeover of the module with high confidentiality, integrity, and availability impact. Oracle's Critical Patch Update for June 2026 (cspujun2026) classifies this as easily exploitable once the privilege prerequisite is met. No public exploit identified at time of analysis and no CISA KEV listing observed.

Oracle Oracle Cost Management Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46929 HIGH This Week

Account takeover in Oracle Cost Management (E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Cost Planning component over HTTP. The flaw yields high confidentiality, integrity, and availability impact with no user interaction required, and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the low-complexity, network-accessible nature warrants priority patching by EBS operators.

Oracle Oracle Cost Management Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.4%
EPSS 0% CVSS 8.8
HIGH This Week

Remote takeover of Oracle Cost Management (component: Cost Planning) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by a low-privileged attacker over HTTP, yielding full compromise of confidentiality, integrity, and availability (CVSS 8.8). The advisory was published in Oracle's June 2026 Critical Patch Update and no public exploit identified at time of analysis. Because the EBS Cost Management module is commonly reachable from internal corporate networks by any authenticated EBS user, the low privilege requirement (PR:L) makes this a credible insider/post-foothold escalation path rather than an unauthenticated internet risk.

Oracle Oracle Cost Management Privilege Escalation
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Full compromise of Oracle Cost Management (component: Cost Planning) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, resulting in takeover of the module with high confidentiality, integrity, and availability impact. Oracle's Critical Patch Update for June 2026 (cspujun2026) classifies this as easily exploitable once the privilege prerequisite is met. No public exploit identified at time of analysis and no CISA KEV listing observed.

Oracle Oracle Cost Management Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle Cost Management (E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Cost Planning component over HTTP. The flaw yields high confidentiality, integrity, and availability impact with no user interaction required, and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the low-complexity, network-accessible nature warrants priority patching by EBS operators.

Oracle Oracle Cost Management Authentication Bypass
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy