CVE-2026-35258 - Vulnerability Details

Description

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all WebLogic Server accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).

Published: 2026-06-16

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A remote console flaw in Oracle WebLogic Server allows a low‑privileged attacker to connect over HTTPS and create, modify or delete critical data within the server. Successful exploitation also provides unauthorized access to all data the console can reach. The vulnerability requires a separate trusted user to interact with the console, but the attacker needs only minimal privileges and a network connection to trigger the impact. These conditions grant the attacker confidentiality and integrity breaches for the affected data.

Affected Systems

Oracle WebLogic Server versions 14.1.2.0.0 and 15.1.1.0.0 are affected. The CVE notes that the scope change may allow the flaw to influence other WebLogic‑based products within the same environment.

Risk and Exploitability

The CVSS base score of 8.7 reflects large confidentiality and integrity impacts, while the extremely low EPSS score (<1%) and the fact that the vulnerability is not listed in the CISA KEV catalog suggest that widespread exploitation is currently unlikely. The attack vector is the network over HTTPS, and it requires a privileged user or collaborator to participate, limiting its immediate impact to environments where such interaction is possible.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

WebLogic Server

affected

Version	Status	Constraints
`14.1.2.0.0`	affected	—
`15.1.1.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Weblogic Server

95%

Version	Status	Scheme	Platform
`14.1.2.0.0`	affected	generic	—
`15.1.1.0.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest Oracle security patch for WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 as released by Oracle.
Restrict HTTPS access to the WebLogic console to trusted IP ranges or via a VPN to reduce the attack surface.
Ensure that only authorized administrators use the console and apply the principle of least privilege for all console accounts.
Enable and regularly review WebLogic access logs to detect unauthorized attempts or anomalous modifications.

Generated by OpenCVE AI on June 17, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00353.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all WebLogic Server accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).
First Time appeared		Oracle Oracle weblogic Server
CPEs		cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:::::::* cpe:2.3:a:oracle:weblogic_server:15.1.1.0.0:::::::*
Vendors & Products		Oracle Oracle weblogic Server
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Oracle Weblogic Server

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:26:53.762Z

Updated: 2026-06-17T14:35:46.378Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35258

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T22:15:03Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object