Description
Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content, requiring human interaction from a user other than the attacker. Successful exploitation can lead to a full takeover of the product, affecting the confidentiality, integrity, and availability of the system.

Affected Systems

Affected is Oracle WebCenter Content, version 14.1.2.0.0. No other vendors or products are listed as impacted in the provided data.

Risk and Exploitability

The CVSS score of 9.6 indicates critical severity. The EPSS score is below 1 %, suggesting a low probability of exploit at the time of the assessment, and the vulnerability is not listed in the CISA KEV catalog. However, the requirement of network access via HTTP combined with the need for human interaction makes the attack vector primarily network-based and user‑dependent. The scope change described may allow related Oracle Fusion Middleware components to be affected if compromised.

Generated by OpenCVE AI on June 18, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle WebCenter Content patch as soon as it is released by Oracle
  • Restrict HTTP access to the WebCenter Content instance to trusted networks only, using firewalls or VPNs
  • Monitor authentication and administration logs for suspicious activity and investigate any anomalies promptly

Generated by OpenCVE AI on June 18, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Attack Enables Full Takeover of Oracle WebCenter Content

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Attack Enables Full Takeover of Oracle WebCenter Content
Weaknesses CWE-20
CWE-284
CWE-352
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Content
CPEs cpe:2.3:a:oracle:webcenter_content:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Content
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Content
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-19T03:55:54.339Z

Reserved: 2026-05-18T15:55:10.298Z

Link: CVE-2026-46786

cve-icon Vulnrichment

Updated: 2026-06-17T14:40:57.616Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:00:14Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-284

    Improper Access Control

  • CWE-352

    Cross-Site Request Forgery (CSRF)