SB20260422134 - Multiple vulnerabilities in Oracle WebLogic Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260422134

SB20260422134 - Multiple vulnerabilities in Oracle WebLogic Server

Published: April 22, 2026

Security Bulletin ID SB20260422134
CSH Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

High 14% Medium 86%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-68161)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the "verifyHostName" configuration attribute or the "log4j2.sslVerifyHostName"  system property is set to true. A remote attacker can perform MitM attack and intercept or redirect the log traffic. 


2) Improper input validation (CVE-ID: CVE-2025-8916)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Security and Provisioning (Bouncy Castle Java Library) component in Oracle Essbase. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.


3) Resource exhaustion (CVE-ID: CVE-2025-46392)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when loading a specially crafted configuration file. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


4) Improper input validation (CVE-ID: CVE-2026-34315)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Web Services component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


5) Improper input validation (CVE-ID: CVE-2026-34292)

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote privileged user can exploit this vulnerability to execute arbitrary code.


6) Code Injection (CVE-ID: CVE-2025-35036)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to Hibernate Validator by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


7) Improper input validation (CVE-ID: CVE-2026-34305)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Web Services component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


Remediation

Install update from vendor's website.

References