CVE-2026-46817 (CVSS 9.8) — Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allow

A critical vulnerability has been published under CVE-2026-46817, affecting the Oracle Payments component of Oracle E-Business Suite, specifically versions 12.2.3 through 12.2.15. The flaw, rated 9.8 out of 10 on the CVSS scale, resides in the File Transmission module and is easily exploitable over a network without requiring authentication. This means an unauthenticated attacker could potentially compromise the system remotely, leading to a complete loss of confidentiality, integrity, and availability.

Organizations that rely on Oracle E-Business Suite for financial operations, particularly those in the banking, insurance, and regulated payment processing sectors across the EU, are directly affected. Any entity using the Oracle Payments product for file-based transactions, such as payment file generation or transmission, should treat this as a high-priority risk. Given the severity and the nature of the vulnerability, it may also impact compliance with PSD2, GDPR, and other EU financial regulations that mandate robust security controls for payment data.

Compliance teams should immediately verify their Oracle E-Business Suite version and patch status. The next step is to apply the relevant security patch from Oracle’s Critical Patch Update as soon as possible. In the interim, consider implementing network-level restrictions to limit access to the affected component, and review audit logs for any signs of unauthorized activity. Finally, update your risk register and incident response plan to reflect this vulnerability, and ensure that any third-party vendors using this software are notified and required to patch.