Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle states unauthenticated HTTP attacker can take over the product, so AV:N/AC:L/PR:N/UI:N with full C/I/A impact and unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Unauthenticated remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the content management platform. Oracle's June 2026 Critical Patch Update advisory rates this 9.8 CVSS and describes it as easily exploitable with no authentication or user interaction. No public exploit identified at time of analysis, but the unauthenticated network vector and high impact place this among the highest-priority items in the CPU.
Technical ContextAI
Oracle WebCenter Sites is an enterprise web experience management and content publishing platform within Oracle Fusion Middleware, commonly deployed for public-facing marketing and customer portals on WebLogic application servers. The CPE cpe:2.3:a:oracle_corporation:oracle_webcenter_sites covers all current Oracle-supported branches (12.2.1.4.0 and 14.1.2.0.0). Although Oracle did not publish a CWE classification, the combination of HTTP attack vector, no privileges required, and full takeover impact is consistent with classes such as authentication bypass, unsafe deserialization, or unauthenticated server-side injection that have historically affected WebCenter Sites and adjacent Fusion Middleware components.
RemediationAI
Patch available per vendor advisory: apply the WebCenter Sites fixes bundled in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to both the 12.2.1.4.0 and 14.1.2.0.0 branches; Oracle does not publish a distinct fix version string, so apply the CPU patch listed for your installed release. Until patched, restrict HTTP/HTTPS access to WebCenter Sites admin and content delivery endpoints to trusted networks via WAF or reverse-proxy ACLs (trade-off: may block legitimate editor traffic from remote offices), enable logging of unusual POST traffic to /cs/, /webcentersites/, and Satellite Server endpoints, and disable any unused remote management interfaces - generic 'defense in depth' is insufficient given the unauthenticated takeover impact.
More in Oracle Webcenter Sites
View allRemote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with a maximu
Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated network attackers ove
Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with the vend
Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated attackers over HTTP,
Remote code execution and full product takeover affects Oracle WebCenter Sites 14.1.2.0.0 within Oracle Fusion Middlewar
Remote takeover of Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to
Unauthenticated remote compromise of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing att
Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker with HTTP a
Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker with
Takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible when a low-privileged attacker with HTTP networ
Same weakness CWE-284 – Improper Access Control
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37315