CVE-2026-21962

Published Jan 20, 2026

Last updated 3 months ago

CVSS critical 10.0
Business logic
HTTP

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-21962 is a recently disclosed vulnerability impacting Oracle Fusion Middleware, specifically affecting Oracle HTTP Server and the WebLogic Server Proxy Plug-ins. This flaw, identified as a heap-based buffer overflow or an improper access control vulnerability, allows an unauthenticated remote attacker to compromise affected systems. The vulnerability can be exploited by sending specially crafted HTTP requests to the exposed server, enabling unauthorized creation, deletion, or modification of critical data accessible through the Oracle HTTP Server and WebLogic Server Proxy Plug-in. Oracle has released patches to address this issue.

Description
Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
Source
secalert_us@oracle.com
NVD status
Modified
Products
http_server, weblogic_server_proxy_plug-in

Risk scores

CVSS 3.1

Type
Secondary
Base score
10
Impact score
5.8
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-284

Social media

Hype score
Not currently trending

  1. Exploitation infrastructure observed scanning for: CVE-2025-55182(React2shell) CVE-2026-21962(Oracle Weblogic) CVE-2025-31324(SAP NetWeaver) - actively exploited by China-linked APTs Targeting India-based critical infrastructure SAP exploit script "MADE BY SCATTERED LAPSUS$ ht

    @SansLimit3

    19 Mar 2026

    4038 Impressions

    7 Retweets

    48 Likes

    23 Bookmarks

    1 Reply

    1 Quote

  2. Top 5 Trending CVEs: 1 - CVE-2025-62186 2 - CVE-2023-28206 3 - CVE-2026-21962 4 - CVE-2026-24061 5 - CVE-2026-23760 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    26 Jan 2026

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Top 5 Trending CVEs: 1 - CVE-2025-54957 2 - CVE-2026-21962 3 - CVE-2025-43529 4 - CVE-2026-0629 5 - CVE-2017-9506 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    22 Jan 2026

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ow ow ow, 2in1 bundle from Oracle 🟥 CVE-2026-21962, CVSS: 10.0 (Critical) Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in 🟥 CVE-2025-66516, CVSS: 10.0 (Critical) Apache Tika Oracle HTTP Server vulnerability allows unauthenticated attackers to compromise the serv

    @UjlakiMarci

    21 Jan 2026

    319 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-28780
  2. Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-29168
  3. HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-33523
  4. A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue.CVE-2026-33007
  5. Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-23918

References

Sources include official advisories and independent security research.