Description
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Person). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Human Resources. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the Person component of Oracle Human Resources and enables an unauthenticated attacker with network access via HTTP to compromise the system. Successful exploitation requires a human interaction from a user other than the attacker, after which the attacker can take full control over the application, leading to loss of confidentiality, integrity and availability of HR data. The CVSS 3.1 base score of 7.5 indicates a high severity level.

Affected Systems

Affected installations include Oracle Human Resources, part of Oracle E‑Business Suite, for versions 12.2.3 through 12.2.15 as specified by the vendor’s advisory.

Risk and Exploitability

The EPSS score of less than 1% suggests that exploit attempts are currently rare, but the vulnerability is not listed in KEV yet the requirement for human interaction and a wide network exposure over HTTP raise the overall risk. If exploited, the attacker can assume complete control over the application, potentially bypassing all security controls and exposing or manipulating sensitive personnel data.

Generated by OpenCVE AI on June 17, 2026 at 18:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle Human Resources to any release issued after version 12.2.15 that incorporates the patch referenced in Oracle’s 2026 security bulletin
  • Restrict inbound HTTP traffic to the Human Resources servers by permitting access only from trusted internal hosts or secured VPN connections
  • Provide targeted user awareness training that warns staff against interacting with unsolicited requests or messages that could be part of the exploitation chain

Generated by OpenCVE AI on June 17, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Person). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Human Resources. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle human Resources
CPEs cpe:2.3:a:oracle:human_resources:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle human Resources
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Human Resources
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T18:33:56.774Z

Reserved: 2026-05-18T15:55:10.313Z

Link: CVE-2026-46955

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T00:00:10Z

Weaknesses

No weakness.