CVE-2026-46798: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. While the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. in Oracle Corporation Oracle WebCenter Sites
CVE-2026-46798 is a critical vulnerability in Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0. It allows an unauthenticated attacker with network access via HTTP to fully compromise the product, potentially leading to complete takeover. The vulnerability impacts confidentiality, integrity, and availability, with a CVSS 3.1 base score of 10.0. Oracle has acknowledged the severity and recommends applying security patches promptly. The vulnerability may also affect additional Oracle products due to scope change. No specific patch version is stated in the advisory, but Oracle strongly urges applying the June 2026 Critical Security Patch Update to mitigate this and other vulnerabilities.
AI Analysis
Technical Summary
This vulnerability affects Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 and allows an unauthenticated attacker to exploit the system remotely over HTTP without any user interaction or privileges. The vulnerability has a critical CVSS score of 10.0, indicating complete compromise of confidentiality, integrity, and availability is possible. Oracle's June 2026 Critical Security Patch Update advisory references this vulnerability among 245 security patches addressing multiple Oracle products. While the advisory does not specify a direct patch version for WebCenter Sites, it strongly recommends applying the Critical Security Patch Update immediately to remediate this and other vulnerabilities. The advisory also notes that attacks on WebCenter Sites may impact other Oracle products due to scope change. No known exploits in the wild have been reported at the time of publication.
Potential Impact
Successful exploitation allows an unauthenticated attacker with network access via HTTP to fully compromise Oracle WebCenter Sites, resulting in complete takeover of the product. This includes full loss of confidentiality, integrity, and availability of the affected system. The vulnerability's scope change may cause significant impact on additional Oracle products integrated or dependent on WebCenter Sites.
Mitigation Recommendations
Oracle strongly recommends applying the June 2026 Critical Security Patch Update immediately, which includes patches addressing this vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required by the attack, though this may impact functionality. Removing unnecessary privileges or access to vulnerable packages from users may also help reduce risk but could affect application operations. Oracle advises customers to remain on actively supported versions and apply security patches without delay. Patch status is not explicitly confirmed for individual versions beyond the advisory; customers should consult the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for detailed patch availability and installation instructions.
CVE-2026-46798: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. While the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. in Oracle Corporation Oracle WebCenter Sites
Description
CVE-2026-46798 is a critical vulnerability in Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0. It allows an unauthenticated attacker with network access via HTTP to fully compromise the product, potentially leading to complete takeover. The vulnerability impacts confidentiality, integrity, and availability, with a CVSS 3.1 base score of 10.0. Oracle has acknowledged the severity and recommends applying security patches promptly. The vulnerability may also affect additional Oracle products due to scope change. No specific patch version is stated in the advisory, but Oracle strongly urges applying the June 2026 Critical Security Patch Update to mitigate this and other vulnerabilities.
CVSS v3.1
Score 10.0critical
Affected software
pkg:maven/com.oracle.webcenter/sitesRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 and allows an unauthenticated attacker to exploit the system remotely over HTTP without any user interaction or privileges. The vulnerability has a critical CVSS score of 10.0, indicating complete compromise of confidentiality, integrity, and availability is possible. Oracle's June 2026 Critical Security Patch Update advisory references this vulnerability among 245 security patches addressing multiple Oracle products. While the advisory does not specify a direct patch version for WebCenter Sites, it strongly recommends applying the Critical Security Patch Update immediately to remediate this and other vulnerabilities. The advisory also notes that attacks on WebCenter Sites may impact other Oracle products due to scope change. No known exploits in the wild have been reported at the time of publication.
Potential Impact
Successful exploitation allows an unauthenticated attacker with network access via HTTP to fully compromise Oracle WebCenter Sites, resulting in complete takeover of the product. This includes full loss of confidentiality, integrity, and availability of the affected system. The vulnerability's scope change may cause significant impact on additional Oracle products integrated or dependent on WebCenter Sites.
Mitigation Recommendations
Oracle strongly recommends applying the June 2026 Critical Security Patch Update immediately, which includes patches addressing this vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required by the attack, though this may impact functionality. Removing unnecessary privileges or access to vulnerable packages from users may also help reduce risk but could affect application operations. Oracle advises customers to remain on actively supported versions and apply security patches without delay. Patch status is not explicitly confirmed for individual versions beyond the advisory; customers should consult the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for detailed patch availability and installation instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.299Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b6110b89be6888265967
Added to database: 6/16/2026, 8:46:09 PM
Last enriched: 6/16/2026, 11:16:25 PM
Last updated: 6/17/2026, 4:57:34 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.