Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable EBS module (AV:N), needs valid low-priv EBS account (PR:L), Oracle states exploitation is difficult (AC:H), no UI, full module takeover gives C/I/A:H within same scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle HR Intelligence product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle HR Intelligence. Successful attacks of this vulnerability can result in takeover of Oracle HR Intelligence. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Full compromise of Oracle HR Intelligence (a module of Oracle E-Business Suite) is possible for an authenticated low-privileged attacker who can reach the Internal Operations component over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw affects EBS versions 12.2.3 through 12.2.15 and yields high impact across confidentiality, integrity, and availability, though Oracle rates exploitation as difficult (AC:H). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
Oracle HR Intelligence is a Human Resources analytics module that ships as part of the Oracle E-Business Suite 12.2 application stack, running on the Oracle Application Server / WebLogic middleware tier and backed by the Oracle Database. The vulnerability lives in the 'Internal Operations' component, which handles administrative and back-office HR data flows reachable through the EBS HTTP front end. Oracle did not assign a CWE and does not disclose root-cause details in CPU advisories; CVSS impact metrics C:H/I:H/A:H combined with the 'takeover of Oracle HR Intelligence' language are consistent with an authenticated logic or injection flaw in an HTTP-exposed module rather than a memory-corruption bug.
RemediationAI
Apply the Oracle E-Business Suite patches bundled in the June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); Oracle ships HR Intelligence fixes as part of the standard EBS 12.2 patchset for versions 12.2.3 through 12.2.15, and Patch available per vendor advisory with no separate fix version number disclosed. Until the CPU is applied, restrict access to the EBS HTTP tier and HR Intelligence URLs to trusted corporate networks via the Oracle HTTP Server URL firewall (mod_rewrite/DAD restrictions) or a perimeter WAF, accepting that this breaks legitimate remote self-service access. Audit and minimise low-privilege EBS accounts (especially generic HR self-service users) and enforce MFA on the EBS login flow to raise the bar against the PR:L prerequisite; the trade-off is added friction for end users.
More in Oracle Hr Intelligence
View allFull compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite 12.2.3 through 12.
Full compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 th
Same weakness CWE-284 – Improper Access Control
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37281