Skip to main content

IIS CVE-2026-21962

CRITICAL
Improper Access Control (CWE-284)
2026-01-20 secalert_us@oracle.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 03, 2026 - 00:16 nvd
Patch available
CVE Published
Jan 20, 2026 - 22:15 nvd
CRITICAL 10.0

DescriptionCVE.org

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

AnalysisAI

Oracle HTTP Server and WebLogic Server Proxy Plug-in have a CVSS 10.0 access control vulnerability allowing unauthenticated network attackers to fully compromise the middleware layer.

Technical ContextAI

Oracle Fusion Middleware's HTTP Server and WebLogic Server Proxy Plug-in have a CWE-284 access control vulnerability that allows unauthenticated attackers to compromise the middleware component with no user interaction required.

RemediationAI

Apply Oracle Critical Patch Update immediately. Implement WAF rules. Monitor for unauthorized access to WebLogic administration interfaces.

Share

CVE-2026-21962 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy