Skip to main content

Oracle WebCenter Sites EUVDEUVD-2026-37444

| CVE-2026-35318 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

HTTP-reachable (AV:N), Oracle calls it easily exploitable (AC:L), requires one low-privileged WebCenter Sites account (PR:L), no user interaction, and results in full product takeover (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:17 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker with HTTP access to fully compromise the product. The flaw is rated CVSS 8.8 with high impact across confidentiality, integrity, and availability, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed WebCenter Sites instance
Delivery
Obtain low-privileged editorial credentials
Exploit
Send crafted HTTP request to vulnerable endpoint
Execution
Escalate privileges within WebCenter Sites
Persist
Achieve full product takeover
Impact
Exfiltrate or modify managed content

Vulnerability AssessmentAI

Exploitation Requires network HTTP/HTTPS reachability to an Oracle WebCenter Sites 12.2.1.4.0 or 14.1.2.0.0 instance and one valid low-privileged account on that instance (CVSS PR:L) - fully unauthenticated exploitation is not indicated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) signals a high-priority issue: network-reachable, low-complexity, no user interaction, and only a single low-privileged account required to achieve full takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or registered any low-privileged WebCenter Sites account (e.g., a content contributor, a leaked partner credential, or a self-service editorial role) sends crafted HTTP requests to the WebCenter Sites application and escalates to full product takeover, gaining the ability to publish arbitrary content, exfiltrate managed assets, or pivot into the underlying Fusion Middleware host. No user interaction is required and the attack complexity is low, making credential reuse and phished editorial logins a realistic entry path; no public exploit identified at time of analysis.
Remediation Apply the patches from Oracle's June 2026 Critical Patch Update advisory at https://www.oracle.com/security-alerts/cspujun2026.html for WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 - Oracle CPU patches are the only supported remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running WebCenter Sites 12.2.1.4.0 or 14.1.2.0.0; implement network-level access controls restricting HTTP access to trusted sources only; audit and revoke unnecessary low-privilege user accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-46800 CRITICAL
10.0 Jun 16

Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with a maximu

CVE-2026-46798 CRITICAL
10.0 Jun 16

Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated network attackers ove

CVE-2026-46801 CRITICAL
9.8 Jun 16

Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with the vend

CVE-2026-46797 CRITICAL
9.8 Jun 16

Unauthenticated remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attac

CVE-2026-35296 CRITICAL
9.8 Jun 16

Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated attackers over HTTP,

CVE-2026-35293 CRITICAL
9.8 Jun 16

Remote code execution and full product takeover affects Oracle WebCenter Sites 14.1.2.0.0 within Oracle Fusion Middlewar

CVE-2026-46799 CRITICAL
9.8 Jun 16

Remote takeover of Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to

CVE-2026-46809 CRITICAL
9.1 Jun 16

Unauthenticated remote compromise of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing att

CVE-2026-46796 HIGH
8.0 Jun 16

Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker with

CVE-2026-35295 HIGH
7.5 Jun 16

Takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible when a low-privileged attacker with HTTP networ

Share

EUVD-2026-37444 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy