Description
Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. While the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Oracle WebCenter Sites enables an unauthenticated attacker who can reach the application over HTTP to fully compromise the system. Because the flaw allows a scope change, the impact may extend to other products in the same environment. Successful exploitation grants the attacker complete control, resulting in loss of confidentiality, integrity, and availability.

Affected Systems

Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 are affected.

Risk and Exploitability

The CVSS v3.1 base score is 10.0, reflecting complete loss of all security properties. The EPSS score is below 1%, indicating a currently low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack can be performed remotely over an open HTTP interface without authentication or privileges, demonstrating a high risk to organizations that expose WebCenter Sites to the network.

Generated by OpenCVE AI on June 17, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle WebCenter Sites patch or upgrade to a version that includes the fix for CVE-2026-46798.
  • Restrict inbound HTTP/HTTPS traffic to WebCenter Sites using firewall rules or a VPN so that only trusted IP addresses can reach the application.
  • Monitor WebCenter Sites logs and network traffic for unusual activities that could indicate exploitation attempts.

Generated by OpenCVE AI on June 17, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. While the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Sites
CPEs cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Sites
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Webcenter Sites
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:09:22.215Z

Reserved: 2026-05-18T15:55:10.299Z

Link: CVE-2026-46798

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T03:30:02Z

Weaknesses

No weakness.