Description
Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Oracle Subledger Accounting allows a low‑privileged attacker with network access to send crafted HTTP requests that result in a full compromise of the application, giving the attacker complete confidentiality, integrity and availability control. The vulnerability is rated CVSS 7.5 with a vector of AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that exploitation requires only network connectivity, does not need user interaction, and poses a high impact on all information system security objectives.

Affected Systems

Oracle Subledger Accounting component of Oracle E‑Business Suite version 12.2.3 through 12.2.15 is affected. These versions are deployed in organizations using the Internal Operations module.

Risk and Exploitability

The EPSS score of less than 1% suggests that exploit attempts are currently rare, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the required effort is high but the potential consequence is a complete takeover, making the risk significant. Exploitation is believed to occur via the HTTP interface, with a low‑privilege attacker sending malicious requests to the internal operations API. No mitigation is indicated in the advisories beyond applying the vendor fix.

Generated by OpenCVE AI on June 17, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch for Subledger Accounting 12.2.3-12.2.15 as detailed in Oracle's security advisory.
  • Configure a web application firewall to detect and block anomalous HTTP requests targeting the Subledger Accounting interfaces.
  • Restrict inbound network traffic to the Subledger Accounting servers to trusted hosts, or place the service behind a VPN to limit exposure.

Generated by OpenCVE AI on June 17, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle subledger Accounting
CPEs cpe:2.3:a:oracle:subledger_accounting:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle subledger Accounting
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Subledger Accounting
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T19:12:50.768Z

Reserved: 2026-05-18T15:55:10.313Z

Link: CVE-2026-46959

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T03:00:16Z

Weaknesses

No weakness.