Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Self Service Manager). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover in Oracle Payroll (Self Service Manager component) of Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the Payroll module over HTTP. The CVSS 3.1 base score of 8.8 reflects high impacts to confidentiality, integrity, and availability, and Oracle has issued a fix in the May 2026 Critical Patch Update. No public exploit identified at time of analysis.
Technical ContextAI
Oracle Payroll is a core human capital management module of Oracle E-Business Suite (EBS), an on-premises enterprise resource planning suite widely deployed for HR, finance, and supply chain operations. The vulnerable Self Service Manager component is the web-facing interface that exposes manager-oriented payroll functions over HTTP/HTTPS to authenticated EBS users. The affected version range (12.2.3-12.2.15) covers the entire 12.2.x branch up to the May 2026 CPU, indicating a flaw in shared Self Service Manager logic rather than a feature added in a single release. No CWE was assigned in the provided data, so the underlying weakness class (e.g., access control, injection, deserialization) cannot be confirmed; Oracle's brevity policy typically withholds such detail until customers patch.
RemediationAI
Apply the fixes delivered in the Oracle Critical Patch Update of May 2026 as documented at https://www.oracle.com/security-alerts/cspumay2026.html; this is the primary and only vendor-sanctioned remediation. Patch available per vendor advisory - the exact patched build identifier is enumerated in the CPU matrix for each 12.2.x level and should be applied to all instances in the 12.2.3-12.2.15 range. If immediate patching is not feasible, compensating controls include restricting network access to the Self Service Manager URLs through the Oracle HTTP Server mod_rewrite / URL firewall (note: this may block legitimate manager self-service workflows), tightening responsibility assignments so that the minimum number of users hold Self Service Manager-eligible responsibilities, and increasing monitoring of EBS access logs for anomalous requests to the affected component until the CPU can be deployed.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33049
GHSA-hgjj-98r8-4m7p