Description
Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair and Overhaul. Successful attacks of this vulnerability can result in takeover of Oracle Complex Maintenance, Repair and Overhaul. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Oracle Complex Maintenance, Repair and Overhaul allows a low‑privileged attacker with network access over HTTP to completely take control of the application, violating confidentiality, integrity, and availability and providing a pathway to full system takeover. The weakness stems from improper access control, privilege escalation, and missing authentication for critical functions (CWE‑284, CWE‑269, CWE‑306).

Affected Systems

Oracle Complex Maintenance, Repair and Overhaul, part of Oracle E‑Business Suite. Versions from 12.2.3 up to and including 12.2.15 are affected, with the vulnerability tied to the internal operations component.

Risk and Exploitability

The CVSS 3.1 base score of 7.5 denotes high severity, while an EPSS score of less than 1% indicates that real‑world exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, yet remote exploitation requires only low privilege and HTTP access, making it a high‑risk vector for environments with exposed web interfaces.

Generated by OpenCVE AI on June 18, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch or upgrade Oracle Complex Maintenance, Repair and Overhaul to a version beyond 12.2.15 (or the vendor’s recommended fix).
  • Restrict access to the HTTP interface of Oracle Complex Maintenance, Repair and Overhaul by allowing only trusted internal IP ranges or by placing the service behind a VPN or firewall.
  • Implement strict authentication and privilege controls on the internal operations component, enforce least privilege for all users, and regularly audit role assignments to prevent unauthorized escalation.

Generated by OpenCVE AI on June 18, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Low Privilege HTTP Exploit Enables Full Compromise of Oracle Complex Maintenance, Repair and Overhaul

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Low Privilege HTTP Exploit Enables Full Compromise of Oracle Complex Maintenance, Repair and Overhaul
Weaknesses CWE-284

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair and Overhaul. Successful attacks of this vulnerability can result in takeover of Oracle Complex Maintenance, Repair and Overhaul. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle complex Maintenance Repair And Overhaul
CPEs cpe:2.3:a:oracle:complex_maintenance__repair_and_overhaul:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle complex Maintenance Repair And Overhaul
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Complex Maintenance Repair And Overhaul
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T17:52:13.627Z

Reserved: 2026-05-18T15:55:10.312Z

Link: CVE-2026-46935

cve-icon Vulnrichment

Updated: 2026-06-18T17:50:43.352Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:15:04Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-284

    Improper Access Control

  • CWE-306

    Missing Authentication for Critical Function