Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Oracle WebLogic Server permits a low‑privileged attacker that can reach the server through HTTP to execute arbitrary code with system‑level privileges. The vulnerability enables attackers to read, modify, or delete any data on the host and to disrupt or shut down the service. Because the flaw changes scope, compromising the server can also affect related products within the application stack.

Affected Systems

Oracle WebLogic Server versions 14.1.2.0.0 and 15.1.1.0.0 on all supported platforms are affected. The weakness resides in the core component of the Fusion Middleware stack.

Risk and Exploitability

The CVSS v3.1 base score of 9.9 indicates a high severity rating with full confidentiality, integrity, and availability impacts. The EPSS score of less than 1% suggests that, although the vulnerability is easily exploitable, it has not yet been widely leveraged in the wild. The attack vector is a normal HTTP connection from an external network; an attacker needs only low privileges to launch the exploit, and the server can be fully compromised. The flaw is not yet listed in the CISA KEV catalog, but the severity warrants urgent action.

Generated by OpenCVE AI on June 17, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch or upgrade to a WebLogic Server release that contains the fix.
  • Restrict network access to HTTP endpoints by configuring firewalls or ACLs so that only trusted hosts can communicate with the server.
  • Disable or secure any unsecured administrative or REST interfaces that are not required for operation.

Generated by OpenCVE AI on June 17, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:28:24.601Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35263

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:30:16Z

Weaknesses

No weakness.