Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the WebLogic Server Console permits an unauthenticated attacker with network access via HTTP to take control of WebLogic Server. Successful exploitation bypasses authentication, providing the attacker with full read, write, and execute authority on the server, thereby compromising confidentiality, integrity and availability. The impact extends beyond the WebLogic Server itself, potentially affecting additional Oracle Fusion Middleware components due to the scope change indicated by the CVSS vector.

Affected Systems

Oracle Corporation WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 are affected. These render the console accessible to unauthenticated users over HTTP, exposing the system to remote compromise.

Risk and Exploitability

The CVSS v3.1 score of 10.0 reflects a critical severity, while the EPSS score of less than 1% indicates a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers require only unauthenticated network access over HTTP; no additional privileges or user interaction are needed. The scope change in the CVSS vector suggests that exploitation can affect other products in the same environment.

Generated by OpenCVE AI on June 17, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle WebLogic Server security patch listed in the Oracle security alert for versions 12.2.1.4.0 and 14.1.1.0.0
  • Restrict or block HTTP access to the WebLogic Server console from public or untrusted networks using firewall rules or network segmentation
  • Implement monitoring and alerting for unexpected console access attempts to detect potential exploitation attempts

Generated by OpenCVE AI on June 17, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T13:08:20.247Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35301

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:15:03Z

Weaknesses

No weakness.