Skip to main content

Oracle WebLogic Server CVE-2026-35302

| EUVD-2026-37428 HIGH
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-06-16 oracle
Oracle Weblogic Server Open Redirect
8.3
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.3 HIGH

Console reachable over HTTP (AV:N, PR:N) but needs admin interaction and specialized conditions (UI:R, AC:H); takeover with cross-component impact justifies S:C and C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:34 vuln.today

DescriptionCVE.org

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

AnalysisAI

Server takeover in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 (Console component) allows a remote unauthenticated attacker who can lure an authenticated user into interacting with a crafted HTTP request to fully compromise the server with a scope change to other products. CVSS 8.3 reflects high impact tempered by high attack complexity and required user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed WebLogic Console
Delivery
Send phishing link to admin
Exploit
Admin with active Console session loads attacker page
Execution
Crafted HTTP request triggers Console flaw
Persist
Scope-changed takeover of WebLogic Server
Impact
Pivot to dependent Fusion Middleware components
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network HTTP reachability to the WebLogic Administration Console, (2) interaction from a person other than the attacker - in practice an authenticated WebLogic operator/administrator clicking or loading attacker-controlled content while a Console session is active, and (3) the specialized circumstances implied by AC:H, meaning timing, configuration, or session state outside the attacker's direct control must align. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious page or sends a phishing link to a WebLogic administrator; when the admin - already authenticated to the WebLogic Console - visits the page, a crafted HTTP request is issued to the Console that triggers the flaw and pivots into a takeover of the WebLogic Server and connected Fusion Middleware components. Successful exploitation is gated by the admin's interaction and the specialized conditions reflected in AC:H, but yields full confidentiality, integrity, and availability impact across the trust boundary.
Remediation Apply the fixes delivered in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to WebLogic Server 12.2.1.4.0 and 14.1.1.0.0; exact patched build numbers are listed in the CPU patch matrix and should be sourced directly from My Oracle Support, as the input does not enumerate a discrete fixed version string. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WebLogic Server instances running versions 12.2.1.4.0 or 14.1.1.0.0 and map Console network accessibility; implement firewall rules restricting Console access to known administrative IP ranges only; disable Console service if not operationally required. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35292 CRITICAL
10.0 Jun 16

Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network a
CVE-2026-35301 CRITICAL
10.0 Jun 16

Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an u
CVE-2026-35263 CRITICAL
9.9 Jun 16

Remote takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Fusion Middleware, Core component) is achievable by
CVE-2026-35300 CRITICAL
9.8 Jun 16

Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by u
CVE-2026-35298 CRITICAL
9.1 Jun 16

Authenticated takeover of Oracle WebLogic Server (Fusion Middleware Core component) is possible by a high-privileged att

Share

CVE-2026-35302 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy