🔴 Critical  |  Source: CISA Known Exploited Vulnerabilities


A critical vulnerability in Oracle E-Business Suite allows an unauthenticated attacker with network access over HTTP to fully compromise Oracle Payments, potentially taking complete control of the payment processing component. The flaw stems from improper privilege management, meaning no credentials are required to exploit it. This vulnerability is confirmed as actively exploited in the wild, making prompt remediation urgent.

Security Architect’s Take: Immediately restrict network access to Oracle E-Business Suite HTTP endpoints at the perimeter and WAF level, prioritising isolation of the Oracle Payments module. Apply Oracle’s patch before the CISA remediation deadline of 18 July 2026, and audit access logs for any anomalous unauthenticated HTTP activity against the Payments component.

Original advisory: CVE-2026-46817: Oracle E-Business Suite