This vulnerability affects Oracle Public Sector Financials (International) versions 12.2.3 to 12.2.15 within Oracle E-Business Suite. It is an easily exploitable flaw that allows a low privileged attacker with network access over HTTP to compromise the product, potentially resulting in full system takeover. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update, which contains 245 security patches across multiple products. Oracle strongly urges customers to apply these patches without delay to mitigate the risk. Workarounds include blocking network protocols required for exploitation and removing unnecessary privileges, but these may disrupt application functionality.

Successful exploitation allows an attacker with low privileges and network access via HTTP to fully compromise Oracle Public Sector Financials (International), impacting confidentiality, integrity, and availability of the system. This can lead to complete takeover of the affected product instance.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers are strongly advised to apply the June 2026 Critical Security Patch Update promptly to remediate this issue. Until patches are applied, risk may be reduced by blocking network protocols required for the attack and removing unnecessary privileges from users, though these mitigations may affect application functionality. Oracle recommends remaining on actively-supported versions and applying security patches without delay.