Description
Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker with network access via HTTP can exploit a flaw in the Content Server component of Oracle WebCenter Content. The vulnerability allows the attacker to execute arbitrary code, potentially taking full control of the application. Successful exploitation compromises confidentiality, integrity, and availability of the affected instance, resulting in a complete takeover.

Affected Systems

Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 are vulnerable. The flaw’s scope change may affect other Oracle products that interact with WebCenter Content, but the primary targets remain the listed releases.

Risk and Exploitability

The CVSS v3.1 base score of 9.0 categorizes this as Critical, with no authentication, high complexity, no user interaction, and changed scope. The EPSS score of less than 1% indicates a low current exploitation probability, but the severity remains high. Because the vulnerability is reached over HTTP, it can be triggered remotely from any location that can contact the WebCenter Content service. The weakness involves incorrect permission evaluation (CWE-284), enabling the attacker to bypass access controls and execute code.

Generated by OpenCVE AI on June 18, 2026 at 23:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Oracle patch for CVE-2026-35320 as detailed in the Oracle security alert for June 2026.
  • Block external HTTP access to the WebCenter Content server, restricting connections to trusted internal networks only.
  • Deploy a Web Application Firewall or intrusion detection system on the WebCenter Content server to detect and block malicious HTTP requests targeting the vulnerable component.

Generated by OpenCVE AI on June 18, 2026 at 23:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Unauthenticated HTTP Attack on Oracle WebCenter Content

Thu, 18 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via Vulnerable HTTP Endpoint in Oracle WebCenter Content
Weaknesses CWE-20
CWE-287

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via Vulnerable HTTP Endpoint in Oracle WebCenter Content
Weaknesses CWE-20
CWE-284
CWE-287
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Content
CPEs cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_content:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Content
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Content
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-19T03:55:32.748Z

Reserved: 2026-04-01T20:03:40.837Z

Link: CVE-2026-35320

cve-icon Vulnrichment

Updated: 2026-06-17T15:25:32.672Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:00:06Z

Weaknesses