Alerts

Critical Vulnerability in Oracle Products

22 January 2026

Oracle has released security updates to address a critical vulnerability affecting Oracle HTTP Server and WebLogic Server Proxy Plug-in. Users and administrators of affected products are advised to update the affected products to the latest version immediately.

Background

Oracle has released security updates to address a critical vulnerability (CVE-2026-21962) affecting Oracle HTTP Server and WebLogic Server Proxy Plug-in. The vulnerability has a Common Vulnerability Scoring System (CVSS v3.1) score of 10 out of 10.

Impact

Successful exploitation of the vulnerability could allow an unauthenticated attacker with HTTP network access to gain access to data or have full access to the vulnerable product, potentially enabling the attacker to create, delete or modify sensitive data.

Affected Products

The vulnerability affects the following product versions:

Oracle HTTP Server version 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0

Oracle WebLogic Server Proxy Plug-in version 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0

Oracle WebLogic Server Proxy Plug-in for IIS version 12.2.1.4.0

Mitigation

Users and administrators of affected products are advised to update the affected products to the latest version immediately.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-21962

https://www.oracle.com/security-alerts/cpujan2026.html

https://www.esecurityplanet.com/threats/oracle-weblogic-proxy-bug-enables-unauthenticated-remote-compromise/

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Critical Vulnerability in Oracle Products

Reach us