Description
Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Content Server component of Oracle WebCenter Content, allowing an unauthenticated attacker with network access through HTTP to exercise privileged actions and potentially execute arbitrary code. This reflects the weakness of lack of authentication (CWE‑306). The attack can lead to a full system takeover with complete loss of confidentiality, integrity, and availability.

Affected Systems

Affected are Oracle WebCenter Content versions 12.2.1.4.0 and 14.1.2.0.0 as part of Oracle Fusion Middleware. These versions are enumerated by Oracle and listed in the security alert.

Risk and Exploitability

The base score of 9.8 signals critical severity, yet the EPSS indicates a very low probability of exploitation (<1%). The vulnerability is not cataloged in CISA KEV, implying no known active exploitation. The attack vector is network-based over HTTP, and no authentication is required, making it readily exploitable if the system is reachable from outside.

Generated by OpenCVE AI on June 18, 2026 at 23:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Follow Oracle's June 2026 security advisory and apply the release that addresses the vulnerability.
  • Limit HTTP access to the Content Server to trusted IP ranges and enforce authentication for all users.
  • Enable detailed logging and auditing on the Content Server to detect and investigate any unauthorized access attempts.

Generated by OpenCVE AI on June 18, 2026 at 23:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via HTTP in Oracle WebCenter Content
Weaknesses CWE-284
CWE-862

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via HTTP in Oracle WebCenter Content
Weaknesses CWE-284
CWE-306
CWE-862
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Content
CPEs cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_content:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Content
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Content
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:24:24.689Z

Reserved: 2026-05-18T15:55:10.302Z

Link: CVE-2026-46813

cve-icon Vulnrichment

Updated: 2026-06-17T15:24:20.657Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:00:06Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function