Skip to main content

Oracle Webcenter Sites

11 CVEs product

Monthly

CVE-2026-46809 CRITICAL Act Now

Unauthenticated remote compromise of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to read, create, modify, or delete all data accessible to the application. Oracle rates this as easily exploitable with no privileges or user interaction required (CVSS 9.1), and no public exploit identified at time of analysis. The flaw is tagged as an authentication bypass affecting the WebCenter Sites component of Oracle Fusion Middleware.

Authentication Bypass Oracle Oracle Webcenter Sites
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-46801 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with the vendor and CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) characterizing the flaw as easily exploitable and yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, the issue is not on the CISA KEV list, and no EPSS score was provided, but the 9.8 base score plus Oracle's 'takeover' wording make this a top-tier patching priority on the Oracle Critical Patch Update cycle.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46800 CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with a maximum CVSS 3.1 base score of 10.0 and a scope change indicating impact beyond the WebCenter Sites boundary. Oracle's June 2026 Critical Patch Update advisory (cspujun2026) lists the issue as easily exploitable with no privileges or user interaction required. There is no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-46799 CRITICAL Act Now

Remote takeover of Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to fully compromise the product via HTTP, per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects complete loss of confidentiality, integrity, and availability with no privileges or user interaction required, and no public exploit identified at time of analysis. Oracle's own advisory characterizes the flaw as 'easily exploitable,' raising the urgency for affected customers despite the lack of a published CWE classification.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46798 CRITICAL Act Now

Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated network attackers over HTTP, with a CVSS 3.1 base score of 10.0 reflecting a scope change that can impact adjacent products. No public exploit identified at time of analysis, but Oracle has rated the issue as easily exploitable and released a fix in the June 2026 Critical Patch Update.

Information Disclosure Oracle Oracle Webcenter Sites
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-46797 CRITICAL Act Now

Unauthenticated remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the content management platform. Oracle's June 2026 Critical Patch Update advisory rates this 9.8 CVSS and describes it as easily exploitable with no authentication or user interaction. No public exploit identified at time of analysis, but the unauthenticated network vector and high impact place this among the highest-priority items in the CPU.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-46796 HIGH This Week

Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker with HTTP network access to fully compromise the product when a victim user is tricked into interacting with attacker-supplied content. Oracle rates the flaw 8.0 (high) with confidentiality, integrity, and availability all marked High. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
8.0
EPSS
0.4%
CVE-2026-35318 HIGH This Week

Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker with HTTP access to fully compromise the product. The flaw is rated CVSS 8.8 with high impact across confidentiality, integrity, and availability, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-35296 CRITICAL Act Now

Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated attackers over HTTP, with full compromise of confidentiality, integrity, and availability per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects network-reachable, low-complexity exploitation with no user interaction, placing this among the most severe Fusion Middleware issues in the cycle. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-35295 HIGH This Week

Takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible when a low-privileged attacker with HTTP network access successfully chains a high-complexity exploit path in the WebCenter Sites component, resulting in full confidentiality, integrity, and availability compromise. Oracle's June 2026 Critical Patch Update disclosure rates this CVSS 7.5 with AC:H/PR:L, meaning a valid (even low-tier) account plus non-trivial conditions are required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-35293 CRITICAL Act Now

Remote code execution and full product takeover affects Oracle WebCenter Sites 14.1.2.0.0 within Oracle Fusion Middleware, enabling unauthenticated attackers to compromise the platform over HTTP. Oracle's June 2026 Critical Patch Update rates this 9.8 (CVSS 3.1) with confidentiality, integrity, and availability all marked High, and Oracle describes it as easily exploitable. No public exploit identified at time of analysis, and CWE classification is not provided in the supplied data.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
CVSS 3.1
9.8
EPSS
0.5%
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unauthenticated remote compromise of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to read, create, modify, or delete all data accessible to the application. Oracle rates this as easily exploitable with no privileges or user interaction required (CVSS 9.1), and no public exploit identified at time of analysis. The flaw is tagged as an authentication bypass affecting the WebCenter Sites component of Oracle Fusion Middleware.

Authentication Bypass Oracle Oracle Webcenter Sites
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with the vendor and CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) characterizing the flaw as easily exploitable and yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, the issue is not on the CISA KEV list, and no EPSS score was provided, but the 9.8 base score plus Oracle's 'takeover' wording make this a top-tier patching priority on the Oracle Critical Patch Update cycle.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote unauthenticated takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP, with a maximum CVSS 3.1 base score of 10.0 and a scope change indicating impact beyond the WebCenter Sites boundary. Oracle's June 2026 Critical Patch Update advisory (cspujun2026) lists the issue as easily exploitable with no privileges or user interaction required. There is no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to fully compromise the product via HTTP, per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects complete loss of confidentiality, integrity, and availability with no privileges or user interaction required, and no public exploit identified at time of analysis. Oracle's own advisory characterizes the flaw as 'easily exploitable,' raising the urgency for affected customers despite the lack of a published CWE classification.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated network attackers over HTTP, with a CVSS 3.1 base score of 10.0 reflecting a scope change that can impact adjacent products. No public exploit identified at time of analysis, but Oracle has rated the issue as easily exploitable and released a fix in the June 2026 Critical Patch Update.

Information Disclosure Oracle Oracle Webcenter Sites
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the content management platform. Oracle's June 2026 Critical Patch Update advisory rates this 9.8 CVSS and describes it as easily exploitable with no authentication or user interaction. No public exploit identified at time of analysis, but the unauthenticated network vector and high impact place this among the highest-priority items in the CPU.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authenticated attacker with HTTP network access to fully compromise the product when a victim user is tricked into interacting with attacker-supplied content. Oracle rates the flaw 8.0 (high) with confidentiality, integrity, and availability all marked High. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker with HTTP access to fully compromise the product. The flaw is rated CVSS 8.8 with high impact across confidentiality, integrity, and availability, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible by unauthenticated attackers over HTTP, with full compromise of confidentiality, integrity, and availability per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects network-reachable, low-complexity exploitation with no user interaction, placing this among the most severe Fusion Middleware issues in the cycle. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible when a low-privileged attacker with HTTP network access successfully chains a high-complexity exploit path in the WebCenter Sites component, resulting in full confidentiality, integrity, and availability compromise. Oracle's June 2026 Critical Patch Update disclosure rates this CVSS 7.5 with AC:H/PR:L, meaning a valid (even low-tier) account plus non-trivial conditions are required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Oracle Oracle Webcenter Sites
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution and full product takeover affects Oracle WebCenter Sites 14.1.2.0.0 within Oracle Fusion Middleware, enabling unauthenticated attackers to compromise the platform over HTTP. Oracle's June 2026 Critical Patch Update rates this 9.8 (CVSS 3.1) with confidentiality, integrity, and availability all marked High, and Oracle describes it as easily exploitable. No public exploit identified at time of analysis, and CWE classification is not provided in the supplied data.

Information Disclosure Oracle Oracle Webcenter Sites
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy