Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vulnerability in the WebLogic Server Console component allows an unauthenticated attacker with HTTPS network access to execute arbitrary code on the server, leading to full takeover. The exploit can compromise confidentiality, integrity, and availability. Successful attacks require a user other than the attacker to interact, indicating a social‑engineering component.

Affected Systems

Oracle WebLogic Server versions 14.1.2.0.0 and 15.1.1.0.0 are affected. No other versions are listed. The vulnerability applies to any platform running these builds.

Risk and Exploitability

The CVSS 3.1 score of 8.8 indicates high severity. However, the EPSS score of less than 1% suggests a low probability of exploitation currently, and the vulnerability is not listed in the CISA KEV catalog. Attackers would target the console over HTTPS; practical exploitation would likely involve a human user other than the attacker, which increases complexity.

Generated by OpenCVE AI on June 17, 2026 at 21:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle WebLogic Server security patch that addresses CVE-2026-35259 to versions 14.1.2.0.0 and 15.1.1.0.0.
  • Restrict access to the WebLogic Server Console by limiting connections to trusted IP addresses or an internal network and disable the console if it is not needed for operations.
  • Enforce strong authentication and secure HTTPS configurations for the console, including up-to-date TLS certificates and authenticators.

Generated by OpenCVE AI on June 17, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:34:58.149Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35259

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:30:16Z

Weaknesses

No weakness.