Description
Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A privileged escalation flaw in Oracle WebCenter Sites allows an attacker with network access via HTTP to run arbitrary code and fully compromise the system. The vulnerability can lead to complete loss of confidentiality, integrity, and availability of the application. The impact can affect any user with low privileges on the network capable of contacting the vulnerable instance.

Affected Systems

Oracle WebCenter Sites version 12.2.1.4.0 and version 14.1.2.0.0 are impacted. These releases are part of Oracle Fusion Middleware and are deployed in enterprise web portals.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity. The EPSS score is below 1 %, suggesting that exploitation is presently unlikely. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation is inferred to be possible via standard HTTP traffic to the application, and requires only low privileges; an attacker could leverage known HTTP endpoints or misconfigurations to trigger the flaw.

Generated by OpenCVE AI on June 17, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle WebCenter Sites patch or upgrade to a fixed version as detailed in the Oracle security advisory
  • If a patch is not yet available, restrict HTTP access to trusted networks or block the WebCenter Sites port from public exposure
  • Disable or secure any exposed administrative or configuration URLs that may facilitate the vulnerability, and validate that authentication controls are properly enforced

Generated by OpenCVE AI on June 17, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Orcacle
Orcacle webcenter Sites
Vendors & Products Orcacle
Orcacle webcenter Sites

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via HTTP in Oracle WebCenter Sites
Weaknesses CWE-284
CWE-287
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Sites
CPEs cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Sites
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Sites
Orcacle Webcenter Sites
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:37:00.522Z

Reserved: 2026-04-01T20:03:40.837Z

Link: CVE-2026-35318

cve-icon Vulnrichment

Updated: 2026-06-17T15:25:35.201Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:00:12Z

Weaknesses