Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vulnerability CVE-2026-35303 is a missing authentication flaw in the Oracle WebLogic Server Console that allows an attacker with only low privileges over the network to exploit the console over HTTP and gain full control of the server. The flaw is classified as CWE‑306 and can result in complete compromise of confidentiality, integrity and availability.

Affected Systems

Affected are Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0, specifically the Console component of the Fusion Middleware platform.

Risk and Exploitability

The CVSS score of 8.8 indicates high impact, while the EPSS score of less than 1% suggests low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, but attackers only need network access to the console port to execute the attack, making it a serious risk for exposed servers.

Generated by OpenCVE AI on June 17, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle WebLogic Server patch detailed in the June 2026 security alert for versions 12.2.1.4.0 and 14.1.1.0.0.
  • Restrict console access by limiting the WebLogic Server listening address to.
  • Enforce strong, unique credentials for the console account and review account privileges regularly.

Generated by OpenCVE AI on June 17, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T13:05:40.838Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35303

cve-icon Vulnrichment

Updated: 2026-06-17T13:05:19.768Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:15:03Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function