Description
Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data as well as unauthorized update, insert or delete access to some of Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N).
Published: 2026-05-28
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote access vulnerability in Oracle Financials Common Modules allows an attacker with low privileges and network access over HTTP to compromise the application. The flaw can be exploited easily, giving the attacker unauthorized read access to confidential data and the ability to insert, update, or delete some data. The CVSS 3.1 vector indicates a high confidentiality impact (C = H) and a lower integrity impact (I = L), with no availability impact.

Affected Systems

The affected product is Oracle Financials Common Modules, version range 12.2.3 through 12.2.15 inclusive. Versions outside this range are not reported as impacted. Because the vulnerability carries a scope change, additional Oracle E‑Business Suite components that rely on the Common Modules may also be at risk.

Risk and Exploitability

The CVSS base score of 8.5 signals substantial risk. The EPSS score of < 1 % indicates only a very small probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the standard web interface over HTTP; attackers initiate exploitation from remote positions and then use the gained low‑privilege access to read or tamper with data in the Common Modules. The scope expansion could allow an attacker to affect other modules that share the compromised data store.

Generated by OpenCVE AI on May 30, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patches for Financials Common Modules as recommended in the official Oracle security alert.
  • Restrict HTTP access to the Common Modules to trusted IP ranges or behind a firewall to limit network reachability.
  • Enforce strict least‑privilege policies on application users and database roles; remove unnecessary permissions that could allow data modification.

Generated by OpenCVE AI on May 30, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 01:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Access via HTTP in Oracle Financials Common Modules
Weaknesses CWE-200
CWE-284

Fri, 29 May 2026 23:15:00 +0000

Type Values Removed Values Added
Title Remote Exploitable Access Control Vulnerability in Oracle Financials Common Modules
Weaknesses CWE-284
CWE-732

Fri, 29 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Exploitable Access Control Vulnerability in Oracle Financials Common Modules
Weaknesses CWE-284
CWE-732

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data as well as unauthorized update, insert or delete access to some of Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N).
First Time appeared Oracle
Oracle financials Common Modules
CPEs cpe:2.3:a:oracle:financials_common_modules:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle financials Common Modules
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Oracle Financials Common Modules
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T15:39:13.706Z

Reserved: 2026-05-18T15:55:10.303Z

Link: CVE-2026-46820

cve-icon Vulnrichment

Updated: 2026-05-29T15:39:09.499Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T21:16:31.890

Modified: 2026-05-29T20:58:47.073

Link: CVE-2026-46820

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T01:30:12Z

Weaknesses