HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46894Published Modified CNA oracle

CVE-2026-46894: Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Home Page)

Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Home Page). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle iSupplier Portal. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle iSupplier Portal. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
8.0
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A high-severity vulnerability affects the Home Page component of Oracle iSupplier Portal within Oracle E-Business Suite (versions 12.2.3 through 12.2.15). The flaw is reachable over the network via HTTPS by any low-privileged authenticated user, but requires a separate victim to interact with attacker-controlled content to trigger exploitation. Successful exploitation results in full takeover of the Oracle iSupplier Portal instance, giving the attacker read, write, and denial-of-service capabilities over the application. No upstream fix has been published yet; HarborGuard is tracking the advisory and will surface a patched-image rebuild the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection of CVE-2026-46894 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including internally built images that bundle Oracle E-Business Suite components.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.0 (HIGH) and weighting it against each environment's compliance policy to determine urgency; findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle iSupplier Portal service over the network via HTTPS; no local or physical access is needed.

  • AuthenticationRequired

    Any low-privilege account is sufficient; the attacker does not need administrative credentials.

  • Victim interactionRequired

    A separate authenticated user must interact with attacker-controlled content (for example, by visiting a crafted URL or clicking a malicious link) for the attack to succeed.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions or special environmental factors are required.

Blast Radius

  • A successful attacker reads all data accessible through the iSupplier Portal, including supplier records, purchase orders, and any stored credentials or session tokens.
  • The attacker can modify persisted portal data, including supplier profile information, submitted invoices, and procurement records.
  • The attacker can crash or otherwise disrupt the iSupplier Portal service, making it unavailable to legitimate users.
  • Combined confidentiality, integrity, and availability impact at the HIGH level across all three dimensions constitutes a full application takeover.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against customer images, scored at CVSS 8.0 HIGH, and surfaced in the finding queue for every environment running an affected Oracle iSupplier Portal version (12.2.3 through 12.2.15). Because Oracle has not yet published a fix, HarborGuard re-evaluates the advisory on each ingest cycle. The moment an upstream patch is released, a patched-image rebuild will become available; for customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated automatically. In the interim, compensating controls worth considering include network-policy rules that restrict HTTPS access to the iSupplier Portal Home Page component to trusted source ranges, egress filtering to limit lateral movement if a session is hijacked, and reviewing portal user account permissions to minimize the number of low-privilege accounts with access to sensitive supplier data.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle iSupplier Portal
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
References