Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Console component of Oracle WebLogic Server permits an unauthenticated attacker with network access via HTTP to compromise the server. The vulnerability is categorized as CWE‑601 and its exploitation is considered difficult, requiring a human interaction from a party other than the attacker. When successfully exploited, the attacker can take full control of the WebLogic Server, resulting in loss of confidentiality, integrity and availability. The CVSS v3.1 base score of 8.3 reflects the severe impact on all three core security properties.

Affected Systems

Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 are affected. These deployments are common in enterprise environments and can influence additional Fusion Middleware components.

Risk and Exploitability

The high CVSS score indicates a serious vulnerability, yet the EPSS score of less than 1% suggests that exploitation attempts are presently uncommon. Because the vulnerability is not listed in the CISA KEV catalog, no confirmed public exploitation is documented. The likely attack vector is a network‑based HTTP request to the Console endpoint; however, the difficulty of exploitation and requirement for human interaction reduce the immediate threat. If an attacker does succeed, privilege is elevated to administrative level, enabling a complete takeover of the server and potential cascading impact on other products in the same environment.

Generated by OpenCVE AI on June 18, 2026 at 14:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Oracle’s security patch that addresses the console vulnerability for WebLogic Server 12.2.1.4.0 and 14.1.1.0.0.
  • Disable or restrict HTTP access to the WebLogic Console using firewall rules or internal network segmentation, allowing only trusted hosts to reach the endpoint.
  • Implement monitoring of inbound HTTP traffic to the Console endpoint and employ intrusion detection to identify anomalous access patterns, mitigating potential exploitation attempts.

Generated by OpenCVE AI on June 18, 2026 at 14:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via WebLogic Server Console

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via WebLogic Server Console

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-601
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:38.738Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35302

cve-icon Vulnrichment

Updated: 2026-06-17T13:06:39.230Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:30:15Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')