CVE-2026-46935 is a vulnerability in Oracle Complex Maintenance, Repair and Overhaul (part of Oracle E-Business Suite) affecting versions 12.2.3 through 12.2.15. The flaw allows a low privileged attacker with network access over HTTP to compromise the system, potentially resulting in full takeover. The vulnerability has a CVSS 3.1 score of 7.5, indicating high impact on confidentiality, integrity, and availability. Oracle's June 2026 Critical Security Patch Update includes fixes for this vulnerability among 245 other security patches. Oracle strongly recommends applying these patches immediately to prevent exploitation. No known exploits in the wild have been reported yet. Mitigation may include blocking required network protocols or restricting privileges until patches are applied, though these may affect functionality.

Successful exploitation of this vulnerability can lead to complete compromise of Oracle Complex Maintenance, Repair and Overhaul, affecting confidentiality, integrity, and availability of the system. This could allow an attacker to take over the affected product, potentially impacting business operations relying on this Oracle E-Business Suite component.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers should apply the June 2026 Critical Security Patch Update promptly to remediate this issue. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation or removing unnecessary privileges from users, though these measures may impact application functionality. Oracle strongly recommends staying on actively supported versions and applying security patches without delay.