Description
Vulnerability in the Oracle Public Sector Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Public Sector Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Public Sector Payroll. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker with network access can reach the Oracle Public Sector Payroll service via HTTP and exploit an easily exploitable vulnerability that allows the attacker to gain high privileged control, effectively taking over the payroll application. The vulnerability can compromise confidentiality, integrity, and availability of payroll data and processes, as indicated by a CVSS 3.1 base score of 7.2.

Affected Systems

The vulnerability affects Oracle Public Sector Payroll, component Internal Operations, on versions 12.2.3 through 12.2.15 of the Oracle E-Business Suite.

Risk and Exploitability

The EPSS score of less than 1% suggests that exploitation is currently unlikely but possible. The vulnerability is not listed in CISA's KEV, yet the high impact and the requirement of a high‑privileged attacker with network access via HTTP make it a moderate to high risk for systems exposed to the network. An attacker would need to be already high privileged within the network with connectivity to the HTTP service to attempt exploitation, making the attack vector relatively simple.

Generated by OpenCVE AI on June 17, 2026 at 22:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's patch or update for the affected Oracle Public Sector Payroll versions as soon as possible.
  • Restrict HTTP access to the payroll servers to trusted internal networks or VPNs to limit exposure to network‑based attackers.
  • Continuously monitor HTTP traffic and logs for suspicious activity, and enforce strict audit controls on the payroll application.

Generated by OpenCVE AI on June 17, 2026 at 22:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation in Oracle Public Sector Payroll via HTTP
Weaknesses CWE-284
CWE-862
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Public Sector Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Public Sector Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Public Sector Payroll. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle public Sector Payroll
CPEs cpe:2.3:a:oracle:public_sector_payroll:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle public Sector Payroll
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Public Sector Payroll
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:42:27.675Z

Reserved: 2026-05-18T15:55:10.314Z

Link: CVE-2026-46976

cve-icon Vulnrichment

Updated: 2026-06-17T15:41:34.552Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:36Z

Weaknesses