Description
Vulnerability in the Oracle HRMS (UK) product of Oracle E-Business Suite (component: UK Payroll). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle HRMS (UK). Successful attacks of this vulnerability can result in takeover of Oracle HRMS (UK). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle HRMS (UK) Payroll within Oracle E‑Business Suite contains a flaw that can be easily exploited by an attacker who already has high‑level access and can reach the system over HTTP. The vulnerability is a broken access control that permits the attacker to compromise the application, resulting in full takeover of HRMS (UK) and loss of confidentiality, integrity and availability.

Affected Systems

Affected products are Oracle Corp’s Oracle HRMS (UK) Payroll component of Oracle E‑Business Suite. Versions 12.2.3 through 12.2.15 are vulnerable.

Risk and Exploitability

The CVSS 3.1 base score of 7.2 indicates significant impact if exploited. An EPSS score of less than 1% suggests the probability of real‑world exploitation is very low but not zero. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires network access over HTTP and an attacker with high privileges; a successful attack would lead to takeover of the HRMS (UK) services.

Generated by OpenCVE AI on June 19, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch or update for Oracle HRMS (UK) covering versions 12.2.3 to 12.2.15, as announced in Oracle Security Alerts.
  • Restrict HTTP access to the HRMS services to known, trusted IP ranges or enforce segmentation through firewalls or application‑level controls.
  • Enable and review application and authentication logs for suspicious or elevated privilege activity that may indicate exploitation attempts.

Generated by OpenCVE AI on June 19, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Oracle HRMS (UK) Payroll Broken Access Control Enables Application Takeover

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title High Privileged Network Exploit in Oracle HRMS UK Payroll Leading to Full Compromise
Weaknesses CWE-200
CWE-284

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title High Privileged Network Exploit in Oracle HRMS UK Payroll Leading to Full Compromise
Weaknesses CWE-200
CWE-269
CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle HRMS (UK) product of Oracle E-Business Suite (component: UK Payroll). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle HRMS (UK). Successful attacks of this vulnerability can result in takeover of Oracle HRMS (UK). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle hrms
CPEs cpe:2.3:a:oracle:hrms:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle hrms
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T19:07:32.706Z

Reserved: 2026-05-18T15:55:10.313Z

Link: CVE-2026-46953

cve-icon Vulnrichment

Updated: 2026-06-17T19:06:55.511Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:53Z

Weaknesses
  • CWE-269

    Improper Privilege Management