Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable EBS component, vendor labels exploitation easy with no user interaction, requires a low-privileged EBS account, and results in full Quality module takeover (C/I/A High).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Quality product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Quality. Successful attacks of this vulnerability can result in takeover of Oracle Quality. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover of the Oracle Quality module in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the component over HTTP. Per the vendor's June 2026 Critical Patch Update advisory the issue is rated CVSS 8.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network reachability to the Oracle E-Business Suite web tier over HTTP/HTTPS, and (2) a valid low-privileged authenticated session on EBS (PR:L) capable of reaching the Oracle Quality module's Internal Operations component on a supported 12.2.3-12.2.15 deployment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H combined with Oracle's own 'easily exploitable' language indicates a genuinely high real-world risk for any EBS environment where low-privileged accounts can reach the Quality module over HTTP - this is the typical condition in EBS deployments, where many internal users hold low-privilege roles. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained any low-privileged Oracle E-Business Suite account - for example a generic internal employee responsibility or a compromised contractor login - sends crafted HTTP requests to the Oracle Quality Internal Operations component over the EBS web tier and achieves full takeover of the Quality module, allowing them to read, modify, or destroy quality-management data. Because Oracle rates the issue 'easily exploitable' and the CVSS vector is AC:L/UI:N, no user interaction or unusual conditions are required once a low-privilege session exists, although no public exploit is identified at time of analysis. |
| Remediation | Apply the patch available per vendor advisory by installing the Oracle E-Business Suite fixes shipped in the June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); Oracle does not publish a discrete fixed micro-version for EBS modules, so the CPU patch set itself is the authoritative remediation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Oracle E-Business Suite deployments running versions 12.2.3-12.2.15 with the Quality module enabled; assess which systems are accessible from untrusted networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Quality
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37263