CVE-2026-35302 - Vulnerability Details

Description

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Published: 2026-06-16

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Console component of Oracle WebLogic Server allows an attacker to execute arbitrary code without prior authentication. If successfully exploited, the attacker can fully compromise the server, leading to loss of confidentiality, integrity, and availability. The vulnerability is identified as CWE‑601 and presents a high‑impact risk to systems exposing the Console over HTTP.

Affected Systems

The affected editions are Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0. These versions are found in many enterprise deployments and may also influence integrated Fusion Middleware components.

Risk and Exploitability

The CVSS v3.1 base score of 8.3 indicates high severity, while the EPSS score of less than 1% suggests the exploitation likelihood is currently low. Because the vulnerability is not listed in CISA's KEV catalog, public exploitation is not confirmed, yet the attack vector is network‑based via HTTP to the Console endpoint, requiring only minimal configuration changes on the target. Successful attacks would elevate the attacker’s privilege to administrator level, allowing full control of the WebLogic server and potentially affecting other products in the same environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

WebLogic Server

affected

Version	Status	Constraints
`12.2.1.4.0`	affected	—
`14.1.1.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Weblogic Server

95%

Version	Status	Scheme	Platform
`12.2.1.4.0`	affected	generic	—
`14.1.1.0.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Oracle's official patch for WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 to remediate the console vulnerability.
Restrict or disable HTTP access to the Console component via firewall rules or internal network segmentation, limiting exposure to trusted hosts only.
Monitor inbound HTTP traffic for unusual Console access patterns and conduct regular vulnerability scans to detect any re‑exposure of the affected endpoint.

Generated by OpenCVE AI on June 17, 2026 at 18:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00338.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Wed, 17 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-601
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle weblogic Server
CPEs		cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*
Vendors & Products		Oracle Oracle weblogic Server
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Weblogic Server

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:05.074Z

Updated: 2026-06-17T13:06:54.833Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35302

Vulnrichment

Updated: 2026-06-17T13:06:39.230Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T01:30:04Z

Weaknesses

CWE-601
URL Redirection to Untrusted Site ('Open Redirect')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object