Description
Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle WebCenter Content versions 12.2.1.4.0 and 14.1.2.0.0 contain a vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise the application. The vulnerability can lead to a full takeover of the system, compromising confidentiality, integrity, and availability. The weakness can be characterized as an improper access control flaw that permits execution of malicious code without authentication.

Affected Systems

Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0, components of Oracle Fusion Middleware used for enterprise content management.

Risk and Exploitability

The CVSS 3.1 base score of 9.8 indicates the vulnerability is critical. The EPSS score of <1% reflects a low expressed probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is exploitable via plain HTTP requests without credentials or user interaction, the potential for abuse remains significant, especially when exposed to the Internet.

Generated by OpenCVE AI on June 18, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch referenced in Oracle’s security advisory for WebCenter Content 12.2.1.4.0 and 14.1.2.0.0
  • Restrict HTTP access to the Content Server to trusted hosts, VPN endpoints, or internal networks
  • Disable or remove any unused or open HTTP interfaces on the Content Server

Generated by OpenCVE AI on June 18, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution Vulnerability in Oracle WebCenter Content via HTTP

Thu, 18 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Code Execution in Oracle WebCenter Content
Weaknesses CWE-284
CWE-287

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Code Execution in Oracle WebCenter Content
Weaknesses CWE-284
CWE-287
CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Content
CPEs cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_content:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Content
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Content
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:09.427Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35286

cve-icon Vulnrichment

Updated: 2026-06-17T13:44:50.080Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:30:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function