CVE-2026-46908
Oracle has fixed multiple vulnerabilities in Oracle JD Edwards EnterpriseOne, including the Tools, Accounts Payable, Human Resources Management, General Ledger, Order Promising, and Project Costing modules, specifically for versions 9.2.0.0 to 9.2.26.2. The vulnerabilities in Oracle JD Edwards EnterpriseOne allow an attacker to gain full control over the system without authentication or with low privileges via network access (HTTP or SMB). This includes creating, deleting, or modifying critical data, gaining unauthorized access to sensitive information, and causing a denial-of-service by crashing the system. The vulnerabilities affect the confidentiality, integrity, and availability of the system. Some vulnerabilities may also impact other related Oracle products due to the integrated nature of the suite.
CSIRTS triage
- What
- Vulnerabilities could allow attackers to gain full control over the system without authentication.
- Who is affected
- Users of Oracle JD Edwards EnterpriseOne versions 9.2.0.0 to 9.2.26.2.
- Urgency
- Remediation is urgent due to the potential for complete system compromise.
- Action
- Users should apply the updates provided by Oracle.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-46908
Get an email if CVE-2026-46908 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.41% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 33% of all EPSS-scored CVEs.
Advisory coverage (1)
- unknownNCSC-2026-0206 [1.00] [M/H] Vulnerabilities fixed in Oracle JD Edwards EnterpriseOnencsc-nl · 2026-06-17
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-46908)