Skip to main content

Oracle HR Intelligence EUVDEUVD-2026-37280

| CVE-2026-46970 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
7.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable EBS HTTP endpoint (AV:N, AC:L), requires pre-existing high-privileged HR Intelligence account (PR:H), no user interaction, full takeover of the module gives C:H/I:H/A:H within the same scope.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:47 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle HR Intelligence product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle HR Intelligence. Successful attacks of this vulnerability can result in takeover of Oracle HR Intelligence. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Full compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by an authenticated high-privileged attacker over HTTP. Successful exploitation results in takeover of the HR Intelligence application with confidentiality, integrity, and availability impact (CVSS 3.1 base 7.2). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privileged EBS account
Delivery
Reach EBS HTTP front end
Exploit
Send crafted request to HR Intelligence Internal Operations
Execution
Trigger vulnerability
Persist
Take over HR Intelligence module
Impact
Read or alter HR analytics data

Vulnerability AssessmentAI

Exploitation Attacker must possess high-privileged credentials on Oracle E-Business Suite (PR:H) - typically an HR Intelligence administrator or equivalent responsibility - and must be able to reach the EBS HTTP front end of an installation running Oracle E-Business Suite 12.2.3 through 12.2.15 with the HR Intelligence module deployed and the Internal Operations component accessible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H yields 7.2 (High), driven by full CIA impact tempered by the PR:H requirement, meaning the attacker must already hold high privileges in the EBS environment before exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already holds (or has compromised) an EBS account with high HR Intelligence privileges connects to the EBS HTTP endpoint and issues a crafted request against the Internal Operations component, abusing the unpatched flaw to take over the HR Intelligence module. The result is unauthorized read/write of HR analytics data and disruption of the service. …
Remediation Patch available per vendor advisory: apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for all Oracle E-Business Suite 12.2.x deployments running HR Intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Oracle E-Business Suite instances in versions 12.2.3-12.2.15 and immediately restrict network access to the HR Intelligence component to defined administrative users only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37280 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy