Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Network HTTP exploitation by an authenticated low-privileged user (PR:L), low complexity, scope change into other EBS products, high C/I impact and only partial DoS justifies A:L.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).
AnalysisAI
Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker over HTTP to gain unauthorized read, modify, and delete access to all framework-accessible data, with scope change extending impact to other Oracle E-Business Suite products. The CVSS 9.9 score reflects low attack complexity, low privileges required, and the scope change that crosses security boundaries into adjacent products. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Oracle Enterprise Command Center Framework (ECC) is a component of Oracle E-Business Suite that provides a unified interface to surface, search, and analyze operational data across EBS modules - it embeds a search and analytics layer into EBS application screens. The affected component is identified as 'Core', meaning the foundational framework rather than a specific dashboard. CWE is not assigned by the reporter, but the CVSS vector (PR:L, S:C, C:H/I:H/A:L) is characteristic of authorization-bypass or insufficient access-control flaws in multi-tenant web frameworks where an authenticated low-privileged user can pivot to data and functions belonging to other applications integrated through ECC.
RemediationAI
Apply the patches bundled in Oracle Critical Patch Update June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for Oracle Enterprise Command Center Framework V15 and V16; Oracle does not publish standalone fix version numbers outside the CPU advisory, so consult the CPU patch matrix for the specific patch identifier matching your EBS release. If immediate patching is not feasible, compensating controls include restricting ECC URLs to trusted internal network segments via a reverse proxy or WAF, auditing and reducing the population of low-privileged EBS accounts that can reach ECC dashboards, and enabling EBS access logging to detect anomalous cross-module data access - note these controls reduce exposure but do not close the underlying authorization defect, and over-aggressive URL filtering may break legitimate ECC dashboard embedding within EBS forms.
Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) a
Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievabl
Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Su
Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Ora
Cross-component compromise in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote atta
Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Bu
High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a compon
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37389