This vulnerability affects Oracle Project Portfolio Analysis versions 12.2.3 through 12.2.15 and allows a low privileged attacker with network access via HTTP to compromise the application. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update, which contains targeted security fixes. Oracle strongly advises customers to apply these patches without delay to prevent exploitation.

Successful exploitation of this vulnerability can lead to complete compromise of Oracle Project Portfolio Analysis, affecting confidentiality, integrity, and availability of the system. This could allow attackers to take over the application, potentially leading to unauthorized access to sensitive project portfolio data and disruption of business operations.

Oracle has released security patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches promptly. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges from users. Oracle recommends remaining on actively supported versions and applying security patches without delay. Patch status is confirmed by the vendor advisory. No alternative or temporary fixes are specified.