Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Console component of Oracle WebLogic Server allows an attacker with low privileges and network access over HTTP to compromise the server. This vulnerability is rated CVSS 8.8, indicating high impact on confidentiality, integrity, and availability. Successful exploitation can result in complete takeover of the WebLogic Server, giving the attacker full control. It is inferred from the description that the attacker bypasses authorization controls to reach the console.

Affected Systems

Oracle Corporation WebLogic Server, versions 12.2.1.4.0 and 14.1.1.0.0, are affected. These versions correspond to the CPE strings reported for the product.

Risk and Exploitability

The EPSS score of less than 1 % means the exploitation probability is low, yet the vulnerability is not in CISA's KEV catalog. The likely attack vector is a low-privileged user accessing the vulnerable console over HTTP. It is inferred from the description that this access bypasses authorization controls. With a CVSS of 8.8, the risk is high for any organization that exposes a WebLogic console to the network.

Generated by OpenCVE AI on June 18, 2026 at 22:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch that resolves CVE‑2026‑35299 or upgrade WebLogic Server to a non‑affected release.
  • Restrict network access to the WebLogic console by configuring firewalls or IP whitelisting so that only trusted administrative IPs can reach it.
  • Disable the console service or move it to a segregated internal network segment if possible.

Generated by OpenCVE AI on June 18, 2026 at 22:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Low-Privilege HTTP Remote Server Compromise via Oracle WebLogic Console

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Low-Privilege HTTP Remote Server Compromise via Oracle WebLogic Console
Weaknesses CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:26.778Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35299

cve-icon Vulnrichment

Updated: 2026-06-17T13:12:30.001Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:54Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function