Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
HTTP-reachable Core component exploitable by any low-privileged EBS user (AV:N/AC:L/PR:L/UI:N); scope change into other EBS modules yields C:H/I:H with only partial DoS (A:L).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).
AnalysisAI
Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker to read, modify, or delete all framework-accessible data and partially disrupt service via HTTP. Because CVSS scope is Changed, exploitation impacts additional Oracle E-Business Suite products beyond the Framework itself, driving the 9.9 base score. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Oracle Enterprise Command Center Framework (ECC) is a guided-navigation and visualization layer embedded in Oracle E-Business Suite (EBS), used to render analytic dashboards backed by an Endeca-derived search/index engine. The 'Core' component handles request routing, session context, and data retrieval between the EBS application tier and the ECC service. No CWE is assigned, but the CVSS profile (AV:N/AC:L/PR:L, Scope:Changed, C:H/I:H/A:L) combined with the tag 'Authentication Bypass' is consistent with an authorization or trust-boundary flaw in the Core component that lets an authenticated EBS user reach data and operations outside their intended security context, propagating impact to other EBS modules sharing the ECC trust boundary.
RemediationAI
Apply the patches delivered in Oracle's June 2026 Critical Patch Update for Oracle Enterprise Command Center Framework V15 and V16 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; an exact post-patch build number is not enumerated in the available data, so consult the CPU advisory matrix to map your ECC release to the correct one-off patch. Until the CPU can be applied, restrict network reachability of the ECC URLs (typically under the EBS /OA_HTML/ context) to trusted internal users via WAF or reverse-proxy ACLs, tighten EBS responsibility assignments so that low-privilege users cannot reach ECC dashboards, and increase auditing of ECC Core requests - these controls reduce exposure but will disrupt legitimate ECC dashboard usage for the blocked user populations. Do not rely on perimeter controls alone, as the CVSS scope change means a single compromised low-privilege account can pivot into other EBS modules.
Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) a
Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievabl
Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privi
Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Ora
Cross-component compromise in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote atta
Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Bu
High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a compon
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37220