Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the WebLogic Server Console component and is due to a Server Side Request Forgery (CWE-601) that allows network access to execute arbitrary code on the server, potentially leading to full takeover. The CVE states that successful attacks require a user other than the attacker to interact with the console, indicating a social-engineering requirement. This means the attacker can influence a victim’s browser to trigger the console and then exploit the vulnerability to compromise confidentiality, integrity, and availability of the WebLogic Server.

Affected Systems

Oracle WebLogic Server versions 14.1.2.0.0 and 15.1.1.0.0 are affected. The vulnerability applies to any platform running these builds and makes the console reachable over HTTPS.

Risk and Exploitability

The CVSS 3.1 score of 8.8 denotes high severity. The EPSS score of less than 1% indicates a low probability of current exploitation, and the issue is not listed in the CISA KEV catalog. Attackers would target the console over HTTPS; practical exploitation requires a secondary user to interact with the console, increasing complexity and reducing the likelihood of automated attacks.

Generated by OpenCVE AI on June 19, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle WebLogic Server security patch that addresses CVE-2026-35259 to affected versions.
  • Restrict access to the WebLogic Server Console by limiting connections to trusted hosts or internal network segments, or disable the console if it is not needed for operations.
  • Enforce strong authentication and secure HTTPS configurations for the console, including up-to-date TLS certificates and appropriate authentication mechanisms.

Generated by OpenCVE AI on June 19, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title WebLogic Server Console Vulnerability Allows Remote Takeover via SSRF

Thu, 18 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution Vulnerability in Oracle WebLogic Server Console
Weaknesses CWE-94

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution Vulnerability in Oracle WebLogic Server Console
Weaknesses CWE-601
CWE-94
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:56:14.963Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35259

cve-icon Vulnrichment

Updated: 2026-06-17T14:34:49.590Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:30:17Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')