Unauthenticated File Transmission Vulnerability in Oracle E-Business Suite Payments
CVE-2026-46817
Key Information:
- Vendor
Oracle
- Status
- Vendor
- CVE Published:
- 28 May 2026
Badges
What is CVE-2026-46817?
CVE-2026-46817 is a critical vulnerability found in the Oracle Payments component of the Oracle E-Business Suite. This software suite is utilized by organizations for various business processes, including financial management. The vulnerability allows unauthenticated attackers with network access via HTTP to exploit Oracle Payments, potentially leading to unauthorized control over the application. The severity of this vulnerability is underscored by its high CVSS score of 9.8, which indicates significant risks to confidentiality, integrity, and availability. Organizations utilizing affected versions (12.2.3 to 12.2.15) are at high risk, as successful exploitation could result in severe operational disruptions and compromise sensitive financial data.
Potential impact of CVE-2026-46817
-
Unauthorized Access and Data Compromise: The vulnerability allows attackers to gain unauthorized access to Oracle Payments, potentially leading to the compromise of confidential financial data stored within the application.
-
Operational Disruptions: Successful exploitation can result in the takeover of the Oracle Payments system, which may disrupt payment processing and related financial transactions, significantly impacting business operations.
-
Increased Risk of Ransomware Payloads: The ease of exploitation could attract malicious actors, increasing the likelihood of ransomware attacks, as attackers may seek to leverage the vulnerability for greater network access within an organization.
Affected Version(s)
Oracle Payments 12.2.3 <= 12.2.15
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Over 900 Oracle E-Business instances exposed to ongoing attacks
Over 900 Oracle E-Business Suite (EBS) instances have been found exposed online amid ongoing attacks exploiting a critical security flaw.
21 hours ago
IT Security News Weekly Summary July - IT Security News
210 posts were published in the last hour 21:55 : IT Security News Daily Summary 2026-06-30 21:2 : Silent Swap Uses Fake Chrome Extension to Steal Crypto 21:2 : Watch out for “high paying, low effort” Amazon job texts 20:32…Read more →
1 day ago
IT Security News Daily Summary 2026-06-30 - IT Security News
155 posts were published in the last hour 21:2 : Silent Swap Uses Fake Chrome Extension to Steal Crypto 21:2 : Watch out for “high paying, low effort” Amazon job texts 20:32 : U.S. CISA adds SimpleHelp flaw to its Known…Read more →
1 day ago
References
CVSS V3.1
Timeline
- 📈
Vulnerability started trending
- 🟡
Public PoC available
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 📰
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved