Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Core component of Oracle WebLogic Server. An attacker with network access to the HTTP interface can exploit the flaw to take complete control of the server, gaining full confidentiality, integrity, and availability impact. The flaw allows a high‑privileged attacker to compromise the entire WebLogic environment and potentially extend the attack to other products, as the scope in the CVSS vector changes from LOW to HIGH.

Affected Systems

Affected versions are Oracle WebLogic Server 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. These versions are listed in the vendor’s advisory and are vulnerable to the described exploitation.

Risk and Exploitability

The CVSS 3.1 base score is 9.1, indicating critical severity. The EPSS score of less than 1% suggests that, while the flaw is easily exploitable, it is currently unlikely to be targeted. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is over the network via HTTP, as inferred from the description and CVSS vector; the attacker must have high privileges after exploitation, and no user interaction is required.

Generated by OpenCVE AI on June 17, 2026 at 18:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch that addresses CVE-2026-35298 as soon as it is available.
  • If a patch cannot be applied immediately, restrict network access to the WebLogic HTTP interface and enforce the WebLogic security baseline.
  • Configure firewall rules to block unauthorized traffic to the WebLogic server and monitor for suspicious HTTP activity.

Generated by OpenCVE AI on June 17, 2026 at 18:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T13:13:21.594Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35298

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T01:30:04Z

Weaknesses

No weakness.