Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (oracle) · only source for this CVE.
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle Payments in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible via the File Transmission component, allowing unauthenticated network-based attackers to fully compromise confidentiality, integrity, and availability (CVSS 9.8). The flaw is described by Oracle as easily exploitable over HTTP with no user interaction, and no public exploit identified at time of analysis. Tagged as Information Disclosure and listed in Oracle's May 2026 Critical Patch Update advisory.
Technical ContextAI
Oracle E-Business Suite (EBS) is Oracle's flagship enterprise resource planning suite, and the Oracle Payments module is the centralized funds-capture and disbursement engine used across Receivables, Payables, Loans, and other financial modules. The vulnerable File Transmission component is responsible for moving payment instruction files (settlement batches, bank statements, payment confirmations) between EBS and external financial institutions, typically over HTTP-based transports. No CWE was assigned in the provided data, but the unauthenticated-over-HTTP profile combined with full CIA impact is consistent with the class of input-handling or deserialization weaknesses that have historically affected EBS web-tier servlets exposed by the OA Framework. The CPE string cpe:2.3:a:oracle_corporation:oracle_payments:*:*:*:*:*:*:*:* identifies the Payments product specifically rather than the broader EBS stack.
RemediationAI
Apply Patch available per vendor advisory - install the Oracle E-Business Suite 12.2 patch bundle published in the May 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspumay2026.html), following Oracle's standard adop/Online Patching procedure for the 12.2 codeline. Until patching is complete, restrict network reachability of the EBS web tier so the Payments File Transmission servlets are not exposed to untrusted networks: place the OA Framework front-ends behind a WAF or reverse proxy and block direct internet access to /OA_HTML/ Payments endpoints, accepting the trade-off that legitimate external bank/file-transmission integrations may need allowlisted IPs reconfigured. Consider tightening URL firewall rules in $CONTEXT_FILE (s_url_firewall) to reject unexpected hosts, noting that misconfiguration can break OAF redirects. No vendor-released patch version string beyond the May 2026 CPU bundle was provided, so confirm the exact patch number from the My Oracle Support note referenced by the CPU advisory before deployment.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33040
GHSA-pv4m-gf99-c5jr