Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Oracle states network HTTP access with a low-privileged account and no user interaction yields full takeover of the module, so AV:N/AC:L/PR:L/UI:N with C:H/I:H/A:H and unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Project Portfolio Analysis product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Project Portfolio Analysis. Successful attacks of this vulnerability can result in takeover of Oracle Project Portfolio Analysis. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover in Oracle Project Portfolio Analysis (E-Business Suite component Internal Operations) versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the module over HTTP. Oracle's June 2026 Critical Patch Update rates the issue 8.8 with high confidentiality, integrity, and availability impacts, and the CVSS vector flags it as easily exploitable; no public exploit identified at time of analysis and the issue is not on CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must possess valid credentials for any low-privileged Oracle E-Business Suite 12.2 account that can authenticate to the Project Portfolio Analysis module's Internal Operations component over HTTP/HTTPS, and must have network reachability to the EBS web tier (Oracle HTTP Server / WebLogic forms or OA Framework URLs). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine priority for any EBS 12.2 operator: CVSS 8.8 with AV:N/AC:L/PR:L/UI:N means a single low-privileged EBS account (any self-service or named portfolio user) can fully take over the module over HTTP, and EBS web tiers are frequently reachable from intranet or partner networks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has phished or otherwise obtained any low-privileged Oracle EBS account logs into the Project Portfolio Analysis self-service interface and sends a crafted HTTP request to an Internal Operations endpoint. Because no user interaction is required and complexity is low, a single request chain elevates the attacker to full read/write/destroy control of the module, enabling manipulation of project financial data or use of the module as a pivot into the wider EBS stack. … |
| Remediation | Patch available per vendor advisory: apply the Oracle Critical Patch Update of June 2026 for Oracle E-Business Suite 12.2 as described at https://www.oracle.com/security-alerts/cspujun2026.html - Oracle does not publish per-CVE point versions, so install the CPU bundle covering Project Portfolio Analysis on all 12.2.3-12.2.15 environments. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running Oracle PPA 12.2.3-12.2.15 in production and test environments; restrict HTTP access to PPA modules to administrative personnel only via firewall rules; audit current user privilege assignments in affected instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authenticated takeover of Oracle Project Portfolio Analysis (E-Business Suite versions 12.2.3 through 12.2.15) is possib
Full product takeover of Oracle Project Portfolio Analysis (E-Business Suite component Internal Operations) is possible
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37272