CVE-2026-46822 (CVSS 9.9) — Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allo

A critical vulnerability has been published under CVE-2026-46822, affecting the Oracle iAssets product within Oracle E-Business Suite, specifically versions 12.2.3 through 12.2.15. The vulnerability, which carries a CVSS score of 9.9, is classified as easily exploitable and resides in the Internal Operations component. This means an attacker with low privileges could potentially compromise the system remotely without user interaction, leading to severe impacts on confidentiality, integrity, and availability.

Organizations most affected are those in sectors that rely on Oracle E-Business Suite for asset management, including financial services, manufacturing, healthcare, and public sector entities across the EU. Any company running the affected versions of Oracle iAssets should consider themselves at immediate risk, particularly if the application is exposed to internal networks or accessible via VPNs. Given the high severity, this vulnerability may also trigger reporting obligations under the EU’s NIS2 Directive or sector-specific regulations like GDPR if personal data is involved.

Compliance teams should immediately verify their Oracle E-Business Suite version against the affected range and prioritize patching as soon as Oracle releases a fix. Until a patch is available, implement network segmentation and restrict access to the Internal Operations component to trusted users only. Additionally, review incident response plans to ensure they cover potential exploitation of this vulnerability, and document all actions taken for audit and regulatory reporting purposes.