CVE-2026-35292 - Vulnerability Details

Description

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Published: 2026-06-16

Score: 10 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Console component of Oracle WebLogic Server and allows an unauthenticated attacker who can reach the server over HTTP to compromise the entire application. The flaw is easily exploitable and can lead to a full takeover, giving the attacker full control over confidentiality, integrity, and availability of the system. Attackers can gain unrestricted access to the WebLogic Server environment without any prior authentication or user interaction.

Affected Systems

Oracle Corporation's WebLogic Server products are affected. The specific versions impacted are 14.1.2.0.0 and 15.1.1.0.0. Users running these releases should verify whether the WebLogic Console is publicly exposed, as that is the entry point for the exploit.

Risk and Exploitability

The CVSS 3.1 base score of 10.0 reflects a trivial attack complexity, no authentication, no user interaction, and a complete scope change. The EPSS score is below 1%, indicating that the probability of exploitation remains very low, but the potential impact is catastrophic. The vulnerability is not currently listed in the CISA KEV catalog. Because the flaw operates over a network-facing HTTP interface and requires no credentials, it is likely the most straightforward attack path for an adversary. Successful exploitation can result in arbitrary code execution and takeover of the targeted WebLogic Server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

WebLogic Server

affected

Version	Status	Constraints
`14.1.2.0.0`	affected	—
`15.1.1.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Weblogic Server

95%

Version	Status	Scheme	Platform
`14.1.2.0.0`	affected	generic	—
`15.1.1.0.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest Oracle WebLogic Server patch that addresses the console vulnerability for versions 14.1.2.0.0 and 15.1.1.0.0.
If a patch is temporarily unavailable, restrict HTTP access to the WebLogic Server console to trusted network segments or disable the console entirely.
Configure firewalls or reverse proxies to block or rate‑limit incoming HTTP traffic to the WebLogic Server, and apply standard hardening guidelines such as disabling default accounts and enforcing secure authentication.

Generated by OpenCVE AI on June 17, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00522.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle weblogic Server
CPEs		cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:::::::* cpe:2.3:a:oracle:weblogic_server:15.1.1.0.0:::::::*
Vendors & Products		Oracle Oracle weblogic Server
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Weblogic Server

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:02.258Z

Updated: 2026-06-17T13:23:13.496Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35292

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T00:00:10Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object