Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data as well as unauthorized update, insert or delete access to some of Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N).
AnalysisAI
Cross-product data exposure in Oracle Financials Common Modules (E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged authenticated attacker to access or modify sensitive financial data over HTTP. The scope-changed nature of the flaw means exploitation impacts additional Oracle products beyond Financials Common Modules itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
The affected component is the Common Components module within Oracle Financials Common Modules, a shared layer of Oracle E-Business Suite (EBS) 12.2.x used across financial applications such as General Ledger, Payables, and Receivables. The CPE string cpe:2.3:a:oracle_corporation:oracle_financials_common_modules confirms the targeted product family. The CVSS scope change (S:C) indicates the vulnerable component can affect resources beyond its own security authority - typical in EBS where Common Modules brokers data and authorization for multiple downstream financial products. No CWE is assigned, but the 'Authentication Bypass' tag combined with PR:L suggests an authorization or access-control weakness reachable post-login that escalates an ordinary EBS user's effective privileges across module boundaries.
RemediationAI
Apply the fixes from Oracle's May 2026 Critical Patch Update as documented at https://www.oracle.com/security-alerts/cspumay2026.html; exact patched build numbers are listed in that advisory and should be applied to all EBS 12.2.3-12.2.15 environments. If immediate patching is not possible, compensating controls include restricting network access to the EBS application tier (especially the Oracle iSupplier/iStore/self-service portals) to trusted corporate networks or VPN only, auditing and minimizing low-privileged accounts that can reach Financials Common Modules endpoints, and enabling URL firewall rules in EBS to block non-essential responsibilities and functions - note that aggressive URL filtering can break legitimate self-service workflows and should be tested in a non-production environment first. No vendor-confirmed workaround that fully mitigates without patching was published in the available references.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33043
GHSA-736v-m8w8-qf99