Description
Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. While the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Oracle WebCenter Sites (CWE-306: Missing Authentication) lets an unauthenticated attacker who can reach the application over HTTP gain full control of the system. The vulnerability enables an exploit that changes the scope, potentially affecting other applications or services running in the same environment. Successful exploitation results in the loss of confidentiality, integrity and availability of the WebCenter Sites deployment.

Affected Systems

Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 are affected, regardless of which environment they are running in.

Risk and Exploitability

The CVSS v3.1 base score of 10.0 reflects a complete compromise of all security properties. The EPSS score is below 1 %, indicating a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack can be carried out remotely via an open HTTP interface without authentication or privileges, presenting a high risk to organizations that expose WebCenter Sites to the network.

Generated by OpenCVE AI on June 19, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle WebCenter Sites patch or upgrade to a version that includes the fix for CVE-2026-46798.
  • Configure the application to require authentication for all HTTP endpoints or block unauthenticated access using firewall rules or a VPN; this directly mitigates the missing‑authentication weakness (CWE‑306).
  • Monitor WebCenter Sites logs and network traffic for unusual activity that could indicate exploitation attempts.

Generated by OpenCVE AI on June 19, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Exploit Allowing Full Takeover of Oracle WebCenter Sites
Weaknesses CWE-269
CWE-287

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Exploit Allowing Full Takeover of Oracle WebCenter Sites
Weaknesses CWE-269
CWE-287

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. While the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Sites
CPEs cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Sites
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Sites
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:09:22.215Z

Reserved: 2026-05-18T15:55:10.299Z

Link: CVE-2026-46798

cve-icon Vulnrichment

Updated: 2026-06-17T15:09:18.830Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T04:00:07Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function