Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Reachable over HTTP with any low-privilege EBS account and no user interaction; Oracle states full takeover of the Quality module, giving high C/I/A within an unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Quality product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Quality. Successful attacks of this vulnerability can result in takeover of Oracle Quality. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover in the Oracle Quality module of Oracle E-Business Suite 12.2.3 through 12.2.15 allows a low-privileged attacker with HTTP network access to fully compromise the Quality component, impacting confidentiality, integrity, and availability (CVSS 3.1 8.8). The flaw resides in the Internal Operations component and is rated easily exploitable by Oracle's own advisory, though no public exploit identified at time of analysis and the issue is not yet listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must reach the Oracle E-Business Suite web tier over HTTP/HTTPS and hold valid credentials for any low-privilege EBS account (PR:L), with no user interaction required and no scope change. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:L/UI:N with full C/I/A high and unchanged scope makes this a credible priority for any internet-facing or broadly accessible EBS deployment: any authenticated EBS user - including low-privilege internal accounts often issued to many employees, suppliers, or contractors via iSupplier/iStore portals - can take over the Quality component without user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A contractor or internal employee with any low-privilege EBS responsibility authenticates to the Oracle E-Business Suite web tier and issues crafted HTTP requests to the Oracle Quality module's Internal Operations endpoints, abusing the flaw to escalate within the Quality application and read, modify, or destroy quality-management data such as inspection records, supplier non-conformance reports, and collection plans. With Oracle stating exploitation is 'easy' and requires only PR:L, the scenario is realistic against any organization that issues broad authenticated EBS access; no public POC is currently identified. |
| Remediation | Apply the fixes shipped in Oracle's June 2026 Critical Patch Update (Patch available per vendor advisory at https://www.oracle.com/security-alerts/cspujun2026.html); Oracle does not publish individual fix-version numbers per CVE, so administrators must apply the CPU bundle that covers EBS 12.2.3-12.2.15. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all affected EBS Quality module instances (versions 12.2.3-12.2.15) and document user accounts with Quality access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Quality
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37264