Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Network-reachable HTTP service (AV:N/AC:L), attacker needs a low-privileged account (PR:L), a second user must interact (UI:R), and Oracle states full takeover so C/I/A:H with scope unchanged.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker with HTTP network access to fully compromise the product when a victim user is tricked into interacting with attacker-supplied content. Oracle rates the flaw 8.0 (high) with confidentiality, integrity, and availability all marked High. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
Oracle WebCenter Sites is a Java-based enterprise web experience management (WEM) platform within the Oracle Fusion Middleware stack, used to author, manage, and deliver multi-channel digital content. The CPE cpe:2.3:a:oracle_corporation:oracle_webcenter_sites covers both the 12c (12.2.1.4.0) and 14c (14.1.2.0.0) supported branches. Although CWE classification is N/A in the input, the combination of CVSS metrics (AV:N/AC:L/PR:L/UI:R) and Oracle's 'takeover' language and 'Information Disclosure' tag is consistent with an authenticated client-side flaw such as stored cross-site scripting or CSRF-style request abuse against a higher-privileged operator who interacts with the attacker's payload, leading to session/credential theft or privileged action execution.
RemediationAI
Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 as published at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle distributes WebCenter Sites patches through My Oracle Support and the exact patched build numbers should be taken directly from that CPU page (patch available per vendor advisory; an independently confirmed fix version is not present in the supplied data). Until the CPU is rolled out, restrict the WebCenter Sites authoring/admin UIs to trusted networks via a reverse proxy or VPN, disable or tightly review any self-registration / low-privilege role provisioning so that PR:L access cannot be obtained casually, and remind editors and administrators not to click links or preview untrusted content from low-privileged contributors (this mitigates the UI:R requirement at the cost of slower editorial workflows). Enabling a strict Content-Security-Policy on the WebCenter Sites front-end and reviewing audit logs for suspicious authoring actions from low-privileged accounts are reasonable compensating controls, with the trade-off that aggressive CSP can break legacy templates.
More in Oracle Webcenter Sites
View allRemote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with a maximu
Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated network attackers ove
Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with the vend
Unauthenticated remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attac
Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated attackers over HTTP,
Remote code execution and full product takeover affects Oracle WebCenter Sites 14.1.2.0.0 within Oracle Fusion Middlewar
Remote takeover of Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to
Unauthenticated remote compromise of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing att
Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker with HTTP a
Takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible when a low-privileged attacker with HTTP networ
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37314