Skip to main content

Oracle E-Business Suite CVE-2026-46955

| EUVDEUVD-2026-37266 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

HTTP-reachable and unauthenticated (AV:N, PR:N) but needs a second user to interact (UI:R) and specific conditions (AC:H); successful attack fully takes over the HR module (C/I/A:H).

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:54 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Person). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Human Resources. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle Human Resources in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible when a remote unauthenticated attacker tricks a separate user into interacting with a crafted HTTP request targeting the Person component. Despite high attack complexity, successful exploitation yields full confidentiality, integrity, and availability impact on the HR module. No public exploit identified at time of analysis.

Technical ContextAI

The flaw resides in the Person component of the Oracle Human Resources product, an HCM module within Oracle E-Business Suite (CPE cpe:2.3:a:oracle_corporation:oracle_human_resources). E-Business Suite is a large web-based ERP platform delivered over HTTP via Oracle Application Server/WebLogic, and the Person subcomponent manages employee identity and demographic records. No CWE is assigned by Oracle, but the combination of remote HTTP delivery, required user interaction by a separate user, and full CIA compromise of the module is consistent with a client-assisted server-side flaw such as stored XSS leading to session/privilege abuse or a CSRF-style request-forgery chain against an authenticated HR operator.

RemediationAI

Patch available per vendor advisory: apply the fixes bundled in Oracle's June 2026 Critical Patch Update for E-Business Suite as detailed at https://www.oracle.com/security-alerts/cspujun2026.html, which covers all listed 12.2.3-12.2.15 releases. Until the CPU can be applied, restrict network reach to the EBS HR Person pages by placing the application behind VPN or an authenticated reverse proxy and blocking direct internet exposure (trade-off: external self-service HR flows break), enforce strict same-site cookies and Referer checks at the load balancer to blunt cross-user request-forgery style chains, and instruct HR operators to avoid clicking untrusted links while authenticated to EBS (trade-off: training-dependent, not a technical control). Do not skip the CPU - Oracle does not publish standalone hotfixes for E-Business Suite.

Share

CVE-2026-46955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy