Description
Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the client bundle of Oracle WebCenter Enterprise Capture allows a low‑privilege attacker with network access via the T3 or IIOP protocols to take full control of the application. The vulnerability, rooted in an access‑control weakness (CWE‑284), can compromise confidentiality, integrity, and availability, and the attacker can leverage the change in scope to affect other products that use the same component.

Affected Systems

The affected component is Oracle WebCenter Enterprise Capture version 12.2.1.4.0 and 14.1.2.0.0. No other product versions are listed as impacted, but the description notes that related items may also be affected due to the scope change.

Risk and Exploitability

The CVSS 3.1 base score of 9.9 indicates critical severity, while an EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not in the CISA KEV catalog. Attackers need only low‑privilege credentials and networking access over T3 or IIOP, indicating a realistic path to compromise.

Generated by OpenCVE AI on June 18, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Oracle patch or upgrade to a version that does not contain the vulnerability.
  • Restrict inbound traffic to the T3 and IIOP ports so that only trusted networks can reach Oracle WebCenter Enterprise Capture.
  • Enforce role‑based access controls and ensure least privilege for accounts interacting with the client bundle, mitigating the underlying CWE‑284 weakness.

Generated by OpenCVE AI on June 18, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Critical Remote Code Execution via Client Bundle in Oracle WebCenter Enterprise Capture

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Enterprise Capture
CPEs cpe:2.3:a:oracle:webcenter_enterprise_capture:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_enterprise_capture:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Enterprise Capture
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Enterprise Capture
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T13:46:27.889Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35281

cve-icon Vulnrichment

Updated: 2026-06-17T13:46:22.528Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:05:00Z

Weaknesses