Description
Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Oracle WebCenter Content’s Content Server component and allows an attacker with network access via HTTP to obtain high‑privilege rights and ultimately take full control of the server. Because the flaw affects privileges directly (CWE‑284), successful exploitation results in full confidentiality, integrity, and availability compromise, enabling an attacker to read, modify, delete content, install backdoors, and pivot to other connected systems.

Affected Systems

Oracle WebCenter Content versions 12.2.1.4.0 and 14.1.2.0.0 are affected. The vulnerability can also impact additional products that interact with WebCenter Content due to the scope change, meaning that a single compromise could spread to other components within the same Oracle Fusion Middleware stack.

Risk and Exploitability

The CVSS 3.1 base score of 9.1 indicates critical severity, while the EPSS score of <1 % suggests a low overall exploitation probability at present. The flaw is not listed in the CISA KEV catalog. The likely attack vector is over HTTP from an external network and requires an attacker with a high‑privilege state; successful exploitation leads to a full takeover of the Content Server and potentially further intrusion across connected systems.

Generated by OpenCVE AI on June 18, 2026 at 23:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle WebCenter Content to the latest patched release that addresses CVE‑2026‑35270.
  • Restrict HTTP access to the Content Server to trusted IP ranges or through a VPN, and block public exposure of administrative interfaces.
  • Enforce role‑based access control and least‑privilege principles on all privileged interfaces to eliminate the privilege escalation path.
  • Disable or restrict any unused administrative modules and interfaces that are not required for normal operations, reducing the attack surface.

Generated by OpenCVE AI on June 18, 2026 at 23:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Title Remote Privilege Escalation via HTTP in Oracle WebCenter Content

Thu, 18 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title High Privilege Remote Exploit Allows Takeover in Oracle WebCenter Content
Weaknesses CWE-269
CWE-860

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title High Privilege Remote Exploit Allows Takeover in Oracle WebCenter Content
Weaknesses CWE-269
CWE-284
CWE-860
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Content
CPEs cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_content:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Content
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Content
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:56:33.789Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35270

cve-icon Vulnrichment

Updated: 2026-06-17T14:15:52.589Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:45:16Z

Weaknesses