HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35295Published Modified CNA oracle

CVE-2026-35295: Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites)

Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unspecified high-severity vulnerability affects Oracle WebCenter Sites (versions 12.2.1.4.0 and 14.1.2.0.0), reachable over HTTP from the network by a low-privileged attacker. Exploitation requires overcoming environmental conditions that make the attack difficult to reproduce reliably, but a successful attacker achieves full takeover of the WebCenter Sites instance, gaining read, write, and denial-of-service capability over the application. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle WebCenter Sites at an affected version. Any image carrying version 12.2.1.4.0 or 14.1.2.0.0 is flagged immediately.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and weights that score against each customer environment's compliance policy to determine urgency and routing. Findings are dispatched to the team or inbox configured inside each customer org, so the right owner sees it without manual sorting.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle ships a corrected version. In the interim, compensating controls such as network-policy isolation of the WebCenter Sites service and egress filtering are surfaced as recommended actions inside the platform.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle WebCenter Sites HTTP endpoint over the network; there is no local-only access path described in the CVSS vector.

  • AuthenticationRequired

    A valid low-privilege account on the application is needed; anonymous, unauthenticated access is not sufficient to trigger the vulnerability.

  • Victim interactionNot required

    No user action or social engineering is needed; the attacker operates entirely without victim participation.

  • Attack complexityDetail

    Attack complexity is rated HIGH, meaning the attacker must meet specific environmental conditions or timing constraints that make reliable exploitation non-trivial.

Blast Radius

  • A successful attacker reads all data accessible to the WebCenter Sites application, including stored content, configuration, and any credentials held in the application tier.
  • The attacker can modify or delete persisted content, site configuration, and database records managed by WebCenter Sites.
  • The attacker can crash or render the WebCenter Sites service unavailable, disrupting content delivery for any front-end properties backed by the instance.
  • Combined control over confidentiality, integrity, and availability constitutes a full application takeover under the CVSS scoring.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-35295, no patched-image rebuild is available at this time. HarborGuard re-evaluates the Oracle advisory on every ingest cycle and will automatically generate a patched rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads as soon as Oracle ships a corrected version. While waiting for an upstream fix, the platform surfaces compensating-control recommendations: isolating the WebCenter Sites service with a restrictive network policy that limits inbound HTTP access to known-good sources, applying egress filtering to prevent lateral movement from a compromised instance, and gating any optional WebCenter Sites features that expand the network-accessible attack surface. Customers should also audit which accounts hold valid credentials to the application, since the attack requires a low-privilege login and reducing the number of active accounts narrows exposure.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle WebCenter Sites
    12.2.1.4.0 · 14.1.2.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References