CVE-2026-35286
Oracle has fixed multiple vulnerabilities in various products within the Oracle Fusion Middleware suite, including WebLogic Server, WebCenter Content, WebCenter Sites, WebCenter Portal, WebCenter Enterprise Capture, Identity Manager, Identity Manager Connector, Access Manager, Coherence, Unified Directory, Virtual Directory, and Application Development Framework (ADF). The vulnerabilities affect various versions of Oracle Fusion Middleware products, where an attacker with network access via HTTP, HTTPS, LDAP, T3, IIOP, or RMI protocols, depending on the product and vulnerability, can perform unauthorized actions. These actions include full system compromise, remote code execution, unauthorized creation, modification, or deletion of critical data, and bypassing authentication. Some vulnerabilities require user interaction, while others can be exploited by unauthenticated attackers. The vulnerabilities impact the confidentiality, integrity, and availability of the affected systems. Specific components such as WebLogic Server Console, Identity Manager Connector, Access Manager Authentication Engine, and Coherence are also affected. The CVSS 3.1 base scores range from moderate (around 4.1) to critical (10.0), depending on the vulnerability and product. Exploitation can lead to complete takeover of systems and may impact other Oracle products that rely on the vulnerable components.
CSIRTS triage
- What
- Multiple vulnerabilities could allow unauthorized actions including full system compromise and remote code execution.
- Who is affected
- Users with network access to various Oracle Fusion Middleware products.
- Urgency
- Remediation is critical due to the severity and potential impact of the vulnerabilities.
- Action
- Users should apply the updates provided by Oracle.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-35286
Get an email if CVE-2026-35286 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.48% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 38% of all EPSS-scored CVEs.
Advisory coverage (1)
- criticalNCSC-2026-0207 [1.00] [M/H] Vulnerabilities fixed in Oracle Fusion Middleware productsncsc-nl · 2026-06-17
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-35286)