Skip to main content

Oracle WebCenter Content CVE-2026-46784

| EUVDEUVD-2026-37302 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.1 CRITICAL

HTTP-reachable Imaging endpoint exploitable with no auth or user interaction; description confirms read and write to all Imaging data (C:H/I:H) but no availability impact (A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:06 vuln.today

DescriptionCVE.org

Vulnerability in the WebCenter Content: Imaging product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebCenter Content: Imaging. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all WebCenter Content: Imaging accessible data as well as unauthorized access to critical data or complete access to all WebCenter Content: Imaging accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Unauthenticated remote compromise of Oracle WebCenter Content: Imaging (component: Core) in Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0 allows attackers to read and modify all data accessible to the Imaging service over HTTP. The flaw is rated CVSS 9.1 with high confidentiality and integrity impact but no availability impact, and Oracle classifies it as easily exploitable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Imaging HTTP endpoint
Delivery
Send crafted unauthenticated request to Core component
Exploit
Bypass authentication check
Execution
Invoke document read/write API
Impact
Exfiltrate or modify Imaging data

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of Oracle WebCenter Content: Imaging 12.2.1.4.0 or 14.1.2.0.0 reachable over HTTP, with no user interaction required (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 9.1 with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N indicates a high-severity, low-complexity, fully unauthenticated network attack - exactly the profile that defenders should treat as priority for any internet- or partner-network-exposed Imaging instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the WebCenter Content: Imaging HTTP endpoint over the network sends crafted HTTP requests to the vulnerable Core component without supplying valid credentials, abusing the missing authentication enforcement to read stored documents and metadata or to create, modify, and delete Imaging records. Because availability is not impacted, the activity may go unnoticed while sensitive scanned content (invoices, contracts, HR documents) is exfiltrated or tampered with. …
Remediation Apply patch available per vendor advisory by installing the June 2026 Oracle Critical Patch Update for Fusion Middleware / WebCenter Content as documented at https://www.oracle.com/security-alerts/cspujun2026.html; exact fix bundle numbers should be taken from the Oracle CPU patch matrix for the 12.2.1.4.0 and 14.1.2.0.0 trains rather than invented here. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Oracle WebCenter Content: Imaging versions 12.2.1.4.0 or 14.1.2.0.0 and determine network accessibility. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-10075 HIGH POC
8.2 Aug 08

Vulnerability in the Oracle WebCenter Content component of Oracle Fusion Middleware (subcomponent: Content Server). Rate

CVE-2026-46783 CRITICAL
9.8 Jun 16

Remote unauthenticated takeover of Oracle WebCenter Content: Imaging (versions 12.2.1.4.0 and 14.1.2.0.0) is possible vi

CVE-2026-46780 HIGH
8.8 Jun 16

Account takeover in Oracle WebCenter Content: Imaging (Fusion Middleware) allows a low-privileged authenticated attacker

CVE-2017-10360 HIGH
8.2 Oct 19

Vulnerability in the Oracle WebCenter Content component of Oracle Fusion Middleware (subcomponent: Content Server). Rate

CVE-2017-10040 HIGH
8.2 Aug 08

Vulnerability in the Oracle WebCenter Content component of Oracle Fusion Middleware (subcomponent: Content Server). Rate

CVE-2017-3625 HIGH
8.2 Apr 24

Vulnerability in the Oracle WebCenter Content component of Oracle Fusion Middleware (subcomponent: Content Server). Rate

CVE-2018-2828 HIGH
8.2 Apr 19

Vulnerability in the Oracle WebCenter Content component of Oracle Fusion Middleware (subcomponent: Content Server). Rate

CVE-2018-2596 HIGH
8.2 Jan 18

Vulnerability in the Oracle WebCenter Content component of Oracle Fusion Middleware (subcomponent: Content Server). Rate

CVE-2018-2564 HIGH
8.2 Jan 18

Vulnerability in the Oracle WebCenter Content component of Oracle Fusion Middleware (subcomponent: Content Server). Rate

CVE-2024-20928 MEDIUM
6.1 Jan 16

Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Rated med

CVE-2023-22126 MEDIUM
5.3 Oct 17

Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Rated med

Share

CVE-2026-46784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy