Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where WebLogic Server executes to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all WebLogic Server accessible data. CVSS 3.1 Base Score 7.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).
Published: 2026-06-16
Score: 7.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Oracle WebLogic Server's console component allows a low‑privileged user who can log on to the host to compromise the application. The vulnerability requires local presence, minimal authentication effort, and the cooperation of another user to trigger exploitation. When successful, the attacker can create, delete, or modify data, and gain unauthorized read or full access to any data reachable through the console. The CVSS v3.1 base score is 7.9, indicating a high impact on both confidentiality and integrity.

Affected Systems

The affected software versions are Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0. The console component is part of the Oracle Fusion Middleware stack, so compromise may also affect other applications running in the same domain. Only the two mentioned releases contain the flaw, and no other products are listed as directly affected.

Risk and Exploitability

The overall risk is substantial because an attacker only needs local access and the cooperation of another user to trigger the exploit. While the EPSS score is below 1 %, the high CVSS score and the possibility of full data loss keep the severity elevated. The vulnerability is not in the CISA KEV catalog, so no pre‑published exploit kits are known, but the high confidentiality and integrity impact necessitates immediate action. The attack vector is local, requires user interaction, and can still impact additional products if the scope changes.

Generated by OpenCVE AI on June 17, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle security patch for WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 as specified in the official advisory.
  • Restrict console access to authorized administrators only, for example by configuring firewall rules or limiting WebLogic Console user roles.
  • If the console is not required for your environment, disable or uninstall the console component to remove the attack surface.

Generated by OpenCVE AI on June 17, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where WebLogic Server executes to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all WebLogic Server accessible data. CVSS 3.1 Base Score 7.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 7.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:02:51.519Z

Reserved: 2026-05-18T15:55:10.306Z

Link: CVE-2026-46848

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T01:15:16Z

Weaknesses

No weakness.