CVE-2026-35302

June 17, 2026, 2:17 p.m.

8.3
High

Description

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Product(s) Impacted

Vendor Product Versions
Oracle
  • Web Logic Server
  • 12.2.1.4.0, 14.1.1.0.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a oracle web_logic_server 12.2.1.4.0 / / / / / / /
a oracle web_logic_server 14.1.1.0.0 / / / / / / /

References

https://www.oracle.com/security-alerts/cspujun2026.html

Tags

CWE-601
[email protected]
2026-06-17
CVE-2026-35302

CVSS Score

8.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: June 17, 2026, 10:40 a.m.
Last Modified: June 17, 2026, 2:17 p.m.

Status : Undergoing Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.