Description
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the Security Framework component of Oracle WebCenter Portal, allowing an attacker who is only a low‑privileged user with network access via HTTPS to take full control of the portal. The vulnerability can compromise confidentiality, integrity, and availability and, due to a scope change, may also impact other Fusion Middleware products that interact with the portal.

Affected Systems

Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0 are affected. These releases are listed under Oracle Corporation for the WebCenter Portal product.

Risk and Exploitability

The CVSS 3.1 base score of 9.9 highlights critical severity, with low attack complexity and low required privileges, and no user interaction needed. The EPSS score of less than 1% indicates a low current exploitation probability, and the vulnerability is not present in CISA’s KEV catalog. The attack vector is inferred to be an initial HTTPS connection to the portal, after which the attacker exploits the unsecured Security Framework to achieve remote code execution and portal takeover.

Generated by OpenCVE AI on June 18, 2026 at 23:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch released by Oracle or upgrade to a newer, non‑vulnerable version of WebCenter Portal as directed in Oracle’s security advisory.
  • Restrict inbound HTTPS traffic to the portal by configuring firewalls or network segmentation so that only trusted internal networks or authenticated users can reach it, thereby reducing the attack surface.
  • Implement continuous monitoring of portal access logs and set alerts for unusual authentication or administrative actions, and enforce least‑privilege access controls to limit the impact of any potential compromise.

Generated by OpenCVE AI on June 18, 2026 at 23:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Oracle WebCenter Portal Security Framework Vulnerability Enables Remote Code Execution and Portal Takeover

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title High-Impact Remote Code Execution in Oracle WebCenter Portal via HTTPS
Weaknesses CWE-287
CWE-94

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title High-Impact Remote Code Execution in Oracle WebCenter Portal via HTTPS
Weaknesses CWE-284
CWE-287
CWE-94
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Portal
CPEs cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Portal
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-23T03:55:41.256Z

Reserved: 2026-05-18T15:55:10.306Z

Link: CVE-2026-46844

cve-icon Vulnrichment

Updated: 2026-06-17T15:31:26.690Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:00:06Z

Weaknesses