Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vulnerability allows an attacker with low privileges and network reach through HTTP to compromise the server. The flaw exists within the core component of Oracle WebLogic Server and can be used to take full control, impacting confidentiality, integrity and availability. The weakness is a lack of proper access control that permits unauthorized code execution, reflected by the CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected Systems

Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.2.0.0 are affected. These are part of Oracle Fusion Middleware.

Risk and Exploitability

The EPSS score is less than 1%, indicating a low probability of widespread exploitation, but the vulnerability is easy to exploit and can be triggered remotely over HTTP by an attacker who does not require elevated privileges. The CVSS 3.1 base score of 8.8 classifies it as high severity. It is not listed in the CISA KEV catalog, but its impact warrants immediate attention. An attacker who succeeds in exploiting this flaw can execute arbitrary code and effectively take over the server.

Generated by OpenCVE AI on June 17, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle WebLogic Server patch that addresses CVE-2026-35311 for versions 12.2.1.4.0 and 14.1.2.0.0.
  • Restrict HTTP access to WebLogic Server by configuring firewall rules or IP whitelisting, ensuring only trusted administrators can reach the server.
  • Verify that high privilege accounts are required for deployment operations and that proper authentication is enforced; disable any unused management ports.

Generated by OpenCVE AI on June 17, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:38:01.094Z

Reserved: 2026-04-01T20:03:40.837Z

Link: CVE-2026-35311

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:00:12Z

Weaknesses

No weakness.