Description
Vulnerability in the Oracle Spares Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Spares Management. Successful attacks of this vulnerability can result in takeover of Oracle Spares Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in Oracle Spares Management’s Internal Operations component that permits a low‑privileged attacker with HTTPS network access to compromise the system. Successful exploitation allows the attacker to fully take over Oracle Spares Management, resulting in complete loss of confidentiality, integrity, and availability for that component. The weakness aligns with improper authentication or input validation, enabling unauthorized control over the management platform. The CVSS 3.1 base score of 8.8 denotes a high severity threat with direct system compromise.

Affected Systems

Oracle Corporation’s Oracle Spares Management, part of Oracle E‑Business Suite. Versions 12.2.3 through 12.2.15 are affected; newer releases are not impacted.

Risk and Exploitability

The CVSS score indicates a high‑severity vulnerability with low authentication requirements (PR:L) and network‑accessible HTTPS entry. The EPSS score is below 1 %, suggesting a low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the easily exploitable nature of the flaw allows a hostile actor to gain full control of the system, potentially enabling lateral movement or data exfiltration.

Generated by OpenCVE AI on June 17, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available Oracle Spares Management patch to mitigate the vulnerability.
  • If a patch is not yet available, restrict HTTPS traffic to trusted IP ranges only or place the application behind a hardened firewall.
  • Implement network segmentation to isolate Oracle Spares Management from untrusted networks so that a local compromise cannot be leveraged to reach other critical assets.

Generated by OpenCVE AI on June 17, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Spares Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Spares Management. Successful attacks of this vulnerability can result in takeover of Oracle Spares Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle spares Management
CPEs cpe:2.3:a:oracle:spares_management:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle spares Management
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Spares Management
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:18:19.921Z

Reserved: 2026-05-18T15:55:10.312Z

Link: CVE-2026-46928

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T03:15:02Z

Weaknesses

No weakness.