This vulnerability affects Oracle Project Portfolio Analysis component of Oracle E-Business Suite versions 12.2.3 to 12.2.15. It permits a low privileged attacker with network access over HTTP to compromise the application, potentially leading to full system takeover. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects network attack vector, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update advisory. The vendor strongly recommends applying these patches without delay to prevent exploitation.

Successful exploitation allows an attacker with low privileges and network access via HTTP to fully compromise Oracle Project Portfolio Analysis, impacting confidentiality, integrity, and availability of the system. This can lead to complete takeover of the affected application instance.

Oracle has released security patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers should apply these patches promptly to remediate the vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges from users. Oracle strongly recommends staying on actively supported versions and applying security updates without delay. Patch status is confirmed by the vendor advisory linked in the report.