Description
Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authentication flaw in Oracle WebCenter Sites that permits an unauthenticated attacker to send crafted HTTP requests and thereby compromise the application. This results in full control of the site, leading to loss of confidentiality, integrity and availability. The weakness is identified as CWE‑306.

Affected Systems

Oracle WebCenter Sites from Oracle Corporation, version 12.2.1.4.0 and 14.1.2.0.0, are affected. Any installation of these releases that has not applied the vendor security patch or upgraded contains the vulnerability.

Risk and Exploitability

The CVSS 3.1 base score of 9.8 indicates a critical severity. The EPSS score is under 1 %, indicating a low current exploitation probability, and the vulnerability has not appeared in the CISA KEV catalog. An attacker does not need any credentials; simply sending crafted HTTP requests from the network is sufficient to achieve takeover. The lack of a pre‑authentication barrier coupled with the high impact makes timely patching essential.

Generated by OpenCVE AI on June 19, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle WebCenter Sites security patch that addresses this vulnerability, or upgrade to a release that includes the fix.
  • Block or restrict unauthenticated HTTP access to the WebCenter Sites application using firewalls or reverse proxies until the patch is applied.
  • Ensure that all administrative interfaces require authentication and limit exposure to trusted users or IP addresses.

Generated by OpenCVE AI on June 19, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Exploit Leads to Full Takeover in Oracle WebCenter Sites

Thu, 18 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution in Oracle WebCenter Sites via HTTP Leading to Full Site Takeover
Weaknesses CWE-284

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution in Oracle WebCenter Sites via HTTP Leading to Full Site Takeover
Weaknesses CWE-284
CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Sites
CPEs cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Sites
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Sites
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T13:14:18.807Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35296

cve-icon Vulnrichment

Updated: 2026-06-17T13:14:04.610Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T01:30:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function