Description
Vulnerability in the Oracle Project Portfolio Analysis product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Project Portfolio Analysis. Successful attacks of this vulnerability can result in takeover of Oracle Project Portfolio Analysis. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in the Oracle Project Portfolio Analysis component of Oracle E‑Business Suite that allows an attacker with high privileges to exploit an HTTP interface. The flaw permits full compromise of the application, leading to loss of confidentiality, integrity, and availability. The CVSS 3.1 base score of 7.2 reflects data‑owner compromise with no user interaction required. Once the vulnerability is triggered, the attacker gains administrative control over the Project Portfolio Analysis service, effectively taking over the entire application.

Affected Systems

Oracle Corporation’s Oracle Project Portfolio Analysis product, part of the Internal Operations component of Oracle E‑Business Suite, is affected in versions 12.2.3 through 12.2.15. The product is accessed via HTTP; only systems that expose this interface over the network are at risk.

Risk and Exploitability

The CVSS score of 7.2 indicates a high‑risk flaw, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network‑based exploit through the HTTP interface, requiring the attacker to already possess high‑privilege credentials or to exploit a credential‑related weakness; this inference is drawn from the description that a high‑privileged attacker with network access can compromise the service. Because the vulnerability permits full administrative takeover of the Project Portfolio Analysis application, the impact on confidentiality, integrity and availability is severe and warrants prompt remediation.

Generated by OpenCVE AI on June 17, 2026 at 22:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and apply the latest Oracle E‑Business Suite security update that fixes the Project Portfolio Analysis issue for versions 12.2.3‑12.2.15.
  • Restrict HTTP access to the Project Portfolio Analysis service by applying firewall rules or network segmentation so that only trusted internal hosts can reach it.
  • Disable or block any unused HTTP interfaces or legacy services exposed by the affected product.
  • Monitor system logs for anomalous authentication or administrative activity targeting Project Portfolio Analysis and investigate suspicious events promptly.

Generated by OpenCVE AI on June 17, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Oracle Project Portfolio Analysis Remote Takeover via HTTP Exploit
Weaknesses CWE-269
CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Project Portfolio Analysis product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Project Portfolio Analysis. Successful attacks of this vulnerability can result in takeover of Oracle Project Portfolio Analysis. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle project Portfolio Analysis
CPEs cpe:2.3:a:oracle:project_portfolio_analysis:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle project Portfolio Analysis
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Project Portfolio Analysis
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T18:11:49.438Z

Reserved: 2026-05-18T15:55:10.313Z

Link: CVE-2026-46960

cve-icon Vulnrichment

Updated: 2026-06-17T18:10:49.661Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T08:00:07Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-284

    Improper Access Control