This vulnerability affects Oracle Subledger Accounting component of Oracle E-Business Suite versions 12.2.3 through 12.2.15. It is a difficult to exploit vulnerability that allows a low privileged attacker with network access via HTTP to compromise the product, potentially resulting in takeover. The CVSS 3.1 vector indicates network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. Oracle has published this vulnerability as part of its June 2026 Critical Security Patch Update advisory, which includes 245 security patches across multiple Oracle products. The advisory strongly urges customers to apply the patches without delay and stay on actively supported versions. No explicit patch link for this specific CVE was provided, but the advisory references the comprehensive patch update containing the fix.

Successful exploitation can lead to full compromise of Oracle Subledger Accounting, impacting confidentiality, integrity, and availability of the system. This could allow an attacker to take over the affected product, potentially leading to unauthorized data access, modification, or disruption of accounting operations.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability among others. Customers are strongly advised to apply the June 2026 Critical Security Patch Update promptly to remediate this issue. Until patches are applied, risk may be mitigated by blocking network protocols required for exploitation and by removing unnecessary privileges or access to packages for users without need. These mitigations may impact application functionality and should be applied cautiously. Patch status is confirmed by the vendor advisory indicating the fix is included in the June 2026 update.