A critical vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2026-46817 with a CVSS score of 9.8, is being actively exploited by threat actors. The flaw allows unauthenticated HTTP access that could lead to takeover of the Oracle Payments component. Oracle has released patches for this vulnerability as part of its May Critical Security Patch Update addressing 77 vulnerabilities total. Threat intelligence firm Defused reported recent exploitation attempts against the flaw in their EBS honeypots.
Organizations are advised to apply Oracle's patches immediately due to the critical nature of the vulnerability, especially given past incidents involving Oracle products being targeted by groups such as Cl0p and ShinyHunters.