Skip to main content

Oracle Enterprise Manager Base Platform

14 CVEs product

Monthly

CVE-2026-46875 CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library component, where a high-privileged attacker with HTTPS network access can fully compromise the platform and pivot into other managed Oracle products through a scope change. No public exploit identified at time of analysis, but the CVSS 3.1 score of 9.1 reflects severe confidentiality, integrity, and availability impact across multiple downstream systems. Patched via Oracle Critical Patch Update advisory cspujun2026.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-46872 CRITICAL Act Now

Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authenticated, high-privileged attacker over HTTPS to modify or destroy critical data, read a subset of data, and trigger a complete denial of service, with scope change extending impact to additional products. Oracle rates the issue CVSS 3.1 9.0 and there is no public exploit identified at time of analysis, but the scope-change behavior and broad impact warrant prompt patching during the next Oracle CPU window.

Denial Of Service Oracle Oracle Enterprise Manager Base Platform
NVD
CVSS 3.1
9.0
EPSS
0.4%
CVE-2026-46868 HIGH This Week

Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-privileged attacker abusing the Extensibility Framework over HTTPS, yielding complete confidentiality, integrity, and availability compromise of the management platform. Oracle disclosed the issue in the June 2026 Critical Patch Update with a CVSS 3.1 base score of 7.2, and no public exploit identified at time of analysis. Because EM Base Platform manages large fleets of Oracle databases and middleware, a successful compromise gives an attacker a high-value pivot point even though privileged access is required to trigger it.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46867 HIGH This Week

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Extensibility Framework component, enabling an authenticated high-privilege attacker with HTTPS network access to fully compromise confidentiality, integrity, and availability of the management platform. The vendor (Oracle) advisory rates the issue at CVSS 3.1 7.2, and no public exploit identified at time of analysis, but successful exploitation yields complete product takeover. EPSS and CISA KEV signals are not provided in the input data.

Oracle Oracle Enterprise Manager Base Platform Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-46866 HIGH This Week

Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated network attackers to crash or hang the management console and to perform unauthorized modifications to a subset of accessible data via the Agent Next Gen component over HTTPS. Oracle rates the issue CVSS 8.2 and notes the flaw is easily exploitable; no public exploit identified at time of analysis, and it is not listed on the CISA KEV catalog.

Denial Of Service Oracle Oracle Enterprise Manager Base Platform
NVD
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-46865 HIGH This Week

Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component) allows a high-privileged attacker with logon access to the host running EM to fully take over the platform, with scope change extending impact to additional managed Oracle products. CVSS 3.1 base score is 8.2 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The scope-changing nature makes this a notable lateral-movement primitive in Oracle estates even though prerequisites are non-trivial.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-46864 HIGH This Week

Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen component, where a low-privileged attacker with SSH network access can fully compromise confidentiality, integrity, and availability. Oracle rates this 8.8 and describes it as easily exploitable, but no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The single source is Oracle's June 2026 Critical Patch Update advisory, which is the authoritative reference for affected versions and fixes.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-46857 CRITICAL Act Now

Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network attackers to fully compromise the Oracle Management Service via HTTP. The flaw is rated CVSS 9.8 with low attack complexity and no user interaction, enabling complete takeover of the management platform. No public exploit identified at time of analysis, but the trivial exploitation profile and the platform's privileged role across managed Oracle estates make it a high-priority patching target.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46856 CRITICAL Act Now

Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker over HTTP coerces a victim user into interacting with a crafted request targeting the Metadata Plugin component. The flaw is scope-changing and yields full confidentiality, integrity, and availability impact on the platform and potentially adjacent products. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Enterprise Manager Base Platform XSS
NVD
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-46855 CRITICAL Act Now

Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker via HTTPS, exploiting the Metadata Plugin component. The scope-changed flaw (CVSS 9.9) lets an attacker pivot to impact additional Oracle products beyond EM itself, and no public exploit identified at time of analysis.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46854 CRITICAL Act Now

Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management component) allows a low-privileged attacker with HTTP network access to compromise the platform and impact other Oracle products via scope change. The flaw carries a CVSS 9.9 rating reflecting low attack complexity and broad confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because Enterprise Manager often holds privileged credentials for managed Oracle databases and middleware, successful exploitation effectively pivots the attacker into the wider Oracle estate.

Oracle Authentication Bypass Oracle Enterprise Manager Base Platform
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-46853 CRITICAL Act Now

Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to fully compromise the management platform - and potentially additional managed products - by tricking an authenticated user into interacting with a malicious HTTP-delivered payload targeting the Metadata Plugin component. The CVSS 3.1 base score is 9.6 with a scope change reflecting impact beyond the vulnerable component, and at time of analysis no public exploit identified at time of analysis. Because Oracle Enterprise Manager centrally controls fleets of Oracle databases, middleware, and infrastructure, successful exploitation has outsized blast-radius implications for downstream Oracle estates.

Oracle Oracle Enterprise Manager Base Platform XSS
NVD
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-46852 CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata Plugin component, allowing a low-privileged remote attacker over HTTPS to fully compromise the platform with a scope change that impacts additional products. The CVSS 3.1 base score of 9.9 reflects the broad confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Enterprise Manager Base Platform Privilege Escalation
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46832 CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework component, where a low-privileged authenticated attacker with HTTPS access can fully compromise the platform and impact adjacent products via a scope change. The flaw carries a CVSS 3.1 score of 9.9 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Oracle disclosed this in the June 2026 Critical Patch Update advisory (cspujun2026), and exploitation is rated low complexity.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
EPSS 0% CVSS 9.1
CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library component, where a high-privileged attacker with HTTPS network access can fully compromise the platform and pivot into other managed Oracle products through a scope change. No public exploit identified at time of analysis, but the CVSS 3.1 score of 9.1 reflects severe confidentiality, integrity, and availability impact across multiple downstream systems. Patched via Oracle Critical Patch Update advisory cspujun2026.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authenticated, high-privileged attacker over HTTPS to modify or destroy critical data, read a subset of data, and trigger a complete denial of service, with scope change extending impact to additional products. Oracle rates the issue CVSS 3.1 9.0 and there is no public exploit identified at time of analysis, but the scope-change behavior and broad impact warrant prompt patching during the next Oracle CPU window.

Denial Of Service Oracle Oracle Enterprise Manager Base Platform
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-privileged attacker abusing the Extensibility Framework over HTTPS, yielding complete confidentiality, integrity, and availability compromise of the management platform. Oracle disclosed the issue in the June 2026 Critical Patch Update with a CVSS 3.1 base score of 7.2, and no public exploit identified at time of analysis. Because EM Base Platform manages large fleets of Oracle databases and middleware, a successful compromise gives an attacker a high-value pivot point even though privileged access is required to trigger it.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Extensibility Framework component, enabling an authenticated high-privilege attacker with HTTPS network access to fully compromise confidentiality, integrity, and availability of the management platform. The vendor (Oracle) advisory rates the issue at CVSS 3.1 7.2, and no public exploit identified at time of analysis, but successful exploitation yields complete product takeover. EPSS and CISA KEV signals are not provided in the input data.

Oracle Oracle Enterprise Manager Base Platform Privilege Escalation
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated network attackers to crash or hang the management console and to perform unauthorized modifications to a subset of accessible data via the Agent Next Gen component over HTTPS. Oracle rates the issue CVSS 8.2 and notes the flaw is easily exploitable; no public exploit identified at time of analysis, and it is not listed on the CISA KEV catalog.

Denial Of Service Oracle Oracle Enterprise Manager Base Platform
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component) allows a high-privileged attacker with logon access to the host running EM to fully take over the platform, with scope change extending impact to additional managed Oracle products. CVSS 3.1 base score is 8.2 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The scope-changing nature makes this a notable lateral-movement primitive in Oracle estates even though prerequisites are non-trivial.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen component, where a low-privileged attacker with SSH network access can fully compromise confidentiality, integrity, and availability. Oracle rates this 8.8 and describes it as easily exploitable, but no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The single source is Oracle's June 2026 Critical Patch Update advisory, which is the authoritative reference for affected versions and fixes.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network attackers to fully compromise the Oracle Management Service via HTTP. The flaw is rated CVSS 9.8 with low attack complexity and no user interaction, enabling complete takeover of the management platform. No public exploit identified at time of analysis, but the trivial exploitation profile and the platform's privileged role across managed Oracle estates make it a high-priority patching target.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker over HTTP coerces a victim user into interacting with a crafted request targeting the Metadata Plugin component. The flaw is scope-changing and yields full confidentiality, integrity, and availability impact on the platform and potentially adjacent products. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Enterprise Manager Base Platform XSS
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker via HTTPS, exploiting the Metadata Plugin component. The scope-changed flaw (CVSS 9.9) lets an attacker pivot to impact additional Oracle products beyond EM itself, and no public exploit identified at time of analysis.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management component) allows a low-privileged attacker with HTTP network access to compromise the platform and impact other Oracle products via scope change. The flaw carries a CVSS 9.9 rating reflecting low attack complexity and broad confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Because Enterprise Manager often holds privileged credentials for managed Oracle databases and middleware, successful exploitation effectively pivots the attacker into the wider Oracle estate.

Oracle Authentication Bypass Oracle Enterprise Manager Base Platform
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to fully compromise the management platform - and potentially additional managed products - by tricking an authenticated user into interacting with a malicious HTTP-delivered payload targeting the Metadata Plugin component. The CVSS 3.1 base score is 9.6 with a scope change reflecting impact beyond the vulnerable component, and at time of analysis no public exploit identified at time of analysis. Because Oracle Enterprise Manager centrally controls fleets of Oracle databases, middleware, and infrastructure, successful exploitation has outsized blast-radius implications for downstream Oracle estates.

Oracle Oracle Enterprise Manager Base Platform XSS
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata Plugin component, allowing a low-privileged remote attacker over HTTPS to fully compromise the platform with a scope change that impacts additional products. The CVSS 3.1 base score of 9.9 reflects the broad confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Oracle Enterprise Manager Base Platform Privilege Escalation
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework component, where a low-privileged authenticated attacker with HTTPS access can fully compromise the platform and impact adjacent products via a scope change. The flaw carries a CVSS 3.1 score of 9.9 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Oracle disclosed this in the June 2026 Critical Patch Update advisory (cspujun2026), and exploitation is rated low complexity.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy