Description
Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Applications Framework. CVSS 3.1 Base Score 4.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
Published: 2026-04-21
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data modification, read, and partial denial of service.
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in the Oracle Applications Framework Personalization component allows a high‑privileged attacker who can reach the application over HTTP to perform unauthorized updates, inserts, deletes, and reads of data accessible through the framework, and to trigger a partial denial of service. The weakness stems from improper access control that can be exploited by an attacker with sufficient privileges, enabling significant integrity, confidentiality, and availability impacts.

Affected Systems

Oracle Corporation Oracle Applications Framework versions 12.2.9 through 12.2.15 are affected. These releases run in Oracle E‑Business Suite environments where the Personalization feature is deployed.

Risk and Exploitability

The CVSS 3.1 base score of 4.7 indicates moderate overall severity. No EPSS score is published, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is network‑based (HTTP) and the exploitation requires a high‑privileged attacker. Once such privileges are achieved, the attacker could compromise data integrity and availability within the framework.

Generated by OpenCVE AI on April 22, 2026 at 10:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle Applications Framework update that addresses the Personalization component vulnerability.
  • Enforce least‑privilege access controls so that only essential users have high‑privileged roles within the framework, and monitor for unauthorized data changes.
  • Implement auditing of personalization modifications to detect and respond to unauthorized updates, inserts, or deletes performed by high‑privileged users.

Generated by OpenCVE AI on April 22, 2026 at 10:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
Title Unauthorized Access to Oracle Applications Framework Personalization Component
Weaknesses CWE-284

Wed, 22 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Modification and Partial Denial of Service via Oracle Application Framework Personalization
Weaknesses CWE-284

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Modification and Partial Denial of Service via Oracle Application Framework Personalization
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Applications Framework. CVSS 3.1 Base Score 4.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
First Time appeared Oracle
Oracle applications Framework
CPEs cpe:2.3:a:oracle:applications_framework:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle applications Framework
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Oracle Applications Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:34:01.380Z

Reserved: 2026-03-26T19:48:45.678Z

Link: CVE-2026-34298

cve-icon Vulnrichment

Updated: 2026-04-22T13:33:47.373Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:34.887

Modified: 2026-04-24T14:29:00.150

Link: CVE-2026-34298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T10:15:14Z

Weaknesses