Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Network-reachable over HTTPS with no attacker credentials (AV:N/AC:L/PR:N), but requires victim interaction (UI:R); yields full read/write on ECC data (C:H/I:H) with no availability impact and unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).
AnalysisAI
High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows unauthenticated remote attackers to gain full read/write access to all framework-accessible data after tricking a user into interacting with a malicious request. The flaw is reachable over HTTPS with low attack complexity but requires user interaction, and no public exploit identified at time of analysis. Oracle published a vendor advisory in the June 2026 Critical Patch Update.
Technical ContextAI
Oracle Enterprise Command Center Framework (ECC) is an analytics and visualization layer bundled with Oracle E-Business Suite (EBS) that provides discovery-style dashboards over EBS application data. It runs as a Java/Weblogic-based web component exposed via HTTPS to EBS users. CWE was not assigned by Oracle, but the combination of network attack vector, no privileges required, mandatory user interaction, and high confidentiality plus integrity impact (with no availability impact and unchanged scope) is consistent with a client-side web vulnerability class such as cross-site scripting, cross-site request forgery, or open redirect/HTML injection - vulnerabilities that abuse an authenticated victim's session against the ECC Core component to read and modify all data the victim can reach.
RemediationAI
Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 for Oracle Enterprise Command Center Framework V15 and V16 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle does not publish a discrete fix version string in the advisory beyond the CPU identifier, so treat 'Patch available per vendor advisory' as the patch status and install the CPU bundle for your EBS release train. As compensating controls until the CPU is deployed, restrict network exposure of the ECC endpoints to trusted internal users via reverse-proxy ACLs or VPN-only access (trade-off: blocks legitimate remote/business-partner access), and instruct ECC users to avoid clicking unsolicited links pointing at the ECC host since exploitation requires user interaction. Standard EBS browser hygiene - separate browser profile for ECC, session timeouts, and strict Referer/SameSite cookie enforcement on the Weblogic frontend - reduces the window in which a phishing lure can ride an authenticated session.
Privileged takeover of Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) a
Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievabl
Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Su
Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privi
Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Ora
Cross-component compromise in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote atta
Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Bu
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37390