Description
Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Client Bundle component of Oracle WebCenter Enterprise Capture. It allows an attacker with low‑level network access to compromise the application. Successful exploitation can lead to complete takeover, affecting confidentiality, integrity and availability of the system.

Affected Systems

Oracle WebCenter Enterprise Capture versions 12.2.1.4.0 and 14.1.2.0.0 are affected. Although the flaw is in this product, the scope changes stated in the description indicate that attacks may also impact other Oracle Fusion Middleware components.

Risk and Exploitability

The CVSS v3.1 score of 9.9 signifies a critical vulnerability that can be exploited over the network via the T3 and IIOP protocols. The EPSS of less than 1% suggests that recorded exploits are rare, yet the high severity warrants proactive action. The vulnerability is not currently listed in the CISA KEV catalog. The attack requires only a low‑privileged network connection and can be conducted by remote actors, making it a realistic threat.

Generated by OpenCVE AI on June 17, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Oracle WebCenter Enterprise Capture release that contains the fix.
  • Restrict inbound T3 and IIOP traffic to trusted hosts or apply firewall rules to block untrusted connections.
  • Apply Oracle’s recommended hardening guidelines for WebCenter Enterprise Capture and monitor logs for suspicious activity.

Generated by OpenCVE AI on June 17, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Client Bundle in Oracle WebCenter Enterprise Capture
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Enterprise Capture
CPEs cpe:2.3:a:oracle:webcenter_enterprise_capture:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_enterprise_capture:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Enterprise Capture
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Enterprise Capture
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T13:42:43.340Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35282

cve-icon Vulnrichment

Updated: 2026-06-17T13:42:28.628Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:58Z

Weaknesses