SB2026012085 - Multiple vulnerabilities in Primavera P6 Enterprise Project Portfolio Management
Published: January 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2025-48734)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions to enum properties. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
2) Cross-site scripting (CVE-ID: CVE-2025-26791)
The disclosed vulnerability allows a remote attacker to perform mutation cross-site scripting (XSS) attacks.
The vulnerability exists due to DOMPurify has an incorrect template literal regular expression. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Improper input validation (CVE-ID: CVE-2025-48795)
The vulnerability allows a remote privileged user to read and manipulate data.
The vulnerability exists due to improper input validation within the Endeca Integration (Apache CXF) component in Oracle Commerce Platform. A remote privileged user can exploit this vulnerability to read and manipulate data.
Remediation
Install update from vendor's website.