Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Oracle's description supports network HTTP exploitation (AV:N/AC:L), a low-privileged account (PR:L), no user interaction, scope change into adjacent products, and full takeover of the AP module (C:H/I:H/A:H).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Accounts Payable product of Oracle JD Edwards (component: Accounts Payable). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Accounts Payable. While the vulnerability is in JD Edwards EnterpriseOne Accounts Payable, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Accounts Payable. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Takeover of Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 is possible by a low-privileged remote attacker over HTTP, with scope-changing impact on adjacent products. The CVSS 3.1 base score of 9.9 reflects full confidentiality, integrity, and availability compromise plus a scope change (S:C), and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network HTTP reachability to the Accounts Payable component of an Oracle JD Edwards EnterpriseOne 9.2 deployment and (2) any valid low-privileged EnterpriseOne credential (PR:L) - no admin role and no user interaction are needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is high but not yet evidence-backed by exploitation telemetry. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been issued any low-privileged EnterpriseOne account - for example a compromised AP clerk, an over-provisioned vendor portal user, or a phished consultant - sends a crafted HTTP request to the Accounts Payable component. The scope change allows the attack to reach beyond Accounts Payable into adjacent EnterpriseOne services, ending in full takeover of the AP module and likely a foothold into broader financial data and processes. … |
| Remediation | Patch available per vendor advisory: apply the fixes bundled in the Oracle June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) to JD Edwards EnterpriseOne 9.2 environments at the earliest scheduled maintenance window. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Oracle JD Edwards 9.2 AP systems in your environment and restrict network access to administrative personnel only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37227