Description
Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Oracle WebCenter Content allows an unauthenticated attacker to send HTTP requests and achieve a complete takeover of the application. The flaw is a classic access‑control weakness that can result in total loss of confidentiality, integrity and availability. The CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and a Base Score of 9.8 indicate that the risk is severe even though no privileges or user interaction are required.

Affected Systems

Oracle WebCenter Content version 12.2.1.4.0 and 14.1.2.0.0 are affected. The vulnerability exists in the Content Server component of Oracle Fusion Middleware.

Risk and Exploitability

The low EPSS (<1%) suggests that exploitation is not yet widespread, and the vulnerability is not listed in the CISA KEV catalog, but the high CVSS score and the fact that an unauthenticated attacker can exploit it over HTTP mean that attackers can readily compromise any exposed instance. The likely attack vector is via direct network access to the WebCenter Content HTTP endpoint, no certificates or special authentication steps required.

Generated by OpenCVE AI on June 17, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle WebCenter Content update package that addresses CVE-2026-46766 to all affected installations.
  • Block or restrict external network traffic to the WebCenter Content HTTP port until the patch is applied or the application is redeployed behind a firewall that requires authentication.
  • Configure the application to enforce authentication for all HTTP requests, or deploy a reverse proxy that requires valid credentials before forwarding traffic to the Content Server.

Generated by OpenCVE AI on June 17, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Code Execution in Oracle WebCenter Content
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Content
CPEs cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_content:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Content
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Content
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-19T03:55:42.749Z

Reserved: 2026-05-18T15:55:10.296Z

Link: CVE-2026-46766

cve-icon Vulnrichment

Updated: 2026-06-17T15:25:23.705Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:00:12Z

Weaknesses