CVE-2026-46809 - Vulnerability Details

Description

Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Sites accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Published: 2026-06-16

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This flaw permits an unauthenticated attacker with network connectivity to send crafted HTTP requests to Oracle WebCenter Sites. Successful exploitation results in the attacker creating, deleting, or modifying critical data, and in some cases gaining unrestricted read access to all site data. The vulnerability directly compromises data confidentiality and integrity, but has no stated impact on availability.

Affected Systems

The affected products are Oracle WebCenter Sites within Oracle Fusion Middleware. Versions 12.2.1.4.0 and 14.1.2.0.0 are affected. The issue resides in the WebCenter Sites component.

Risk and Exploitability

The CVSS base score of 9.1 denotes a high severity vulnerability with a Network attack vector, low effort, no privileges or user interaction. The EPSS score of less than 1% indicates that, at the time of this analysis, exploitation is considered uncommon, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because the flaw allows unauthenticated manipulation or disclosure of data over plain HTTP, it may remain attractive to threat actors. Exploitation requires only network visibility to the HTTP interface and does not require prior authentication.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle WebCenter Sites

affected

Version	Status	Constraints
`12.2.1.4.0`	affected	—
`14.1.2.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Webcenter Sites

95%

Version	Status	Scheme	Platform
`12.2.1.4.0`	affected	generic	—
`14.1.2.0.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Oracle patch that addresses CVE-2026-46809 for the affected WebCenter Sites versions
If a patch is not yet available, restrict network access to the WebCenter Sites HTTP endpoints by firewall rules to isolate the application from untrusted networks
Configure WebCenter Sites to enforce authentication on all endpoints, thereby eliminating anonymous access
As a temporary defensive measure, deploy a Web Application Firewall with rules that block the specific request patterns identified in the Oracle advisory

Generated by OpenCVE AI on June 17, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00427.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Sites accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
First Time appeared		Oracle Oracle webcenter Sites
CPEs		cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::* cpe:2.3:a:oracle:webcenter_sites:14.1.2.0.0:::::::*
Vendors & Products		Oracle Oracle webcenter Sites
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Oracle Webcenter Sites

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:26.876Z

Updated: 2026-06-17T15:21:18.442Z

Reserved: 2026-05-18T15:55:10.301Z

Link: CVE-2026-46809

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T23:30:15Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object