Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Oracle WebLogic Server permits a low‑privileged attacker that can reach the server through HTTP to execute arbitrary code with system‑level privileges. This vulnerability is a CWE‑284 (Insecure Permissions) flaw. It allows full compromise of the server, giving the attacker unrestricted access to all data and the ability to disrupt or shut down the service. The flaw resides in the core component of the Fusion Middleware stack and can alter the scope, affecting additional products within the application stack.

Affected Systems

Oracle WebLogic Server versions 14.1.2.0.0 and 15.1.1.0.0 on all supported platforms are affected. The CPE entries indicate the specific builds. These versions were released as part of Oracle Fusion Middleware and include the WebLogic Server core component.

Risk and Exploitability

The CVSS v3.1 base score of 9.9 reflects complete confidentiality, integrity, and availability impacts. The EPSS score of less than 1% indicates that, while the vulnerability is easily exploitable, it has not yet been widely leveraged in the wild. The likely attack vector is a normal HTTP connection from an external network; an attacker needs only low privileges to launch the exploit, and a successful compromise can lead to full server takeover. The flaw is not yet listed in the CISA KEV catalog, but the severity warrants urgent action.

Generated by OpenCVE AI on June 19, 2026 at 00:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch for WebLogic Server or upgrade to a release that includes the fix.
  • Restrict HTTP access to the server by configuring firewalls, ACLs, or network segmentation so that only trusted hosts can connect.
  • Disable or secure any administrative or REST interfaces that are not required for operation.

Generated by OpenCVE AI on June 19, 2026 at 00:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Title Low-Privilege HTTP Exploit Allows Full WebLogic Server Takeover

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Low Privilege Remote Code Execution via HTTP in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0
Weaknesses CWE-285
CWE-937

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Low Privilege Remote Code Execution via HTTP in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0
Weaknesses CWE-284
CWE-285
CWE-937
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:56:19.460Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35263

cve-icon Vulnrichment

Updated: 2026-06-17T14:26:32.573Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:15:03Z

Weaknesses