Oracle disclosed two high-severity vulnerabilities this cycle: CVE-2026-35258 in WebLogic Server’s Console component (CVSS 8.7) enables an open redirect attack for credential theft against administrator sessions, and CVE-2026-35275 in VM VirtualBox 7.2.8 (CVSS 7.5) allows a low-privileged guest user to escape the VM boundary and access or modify host or sibling VM data through the Shared Folders component. Neither CVE is in active exploitation per current source data, but WebLogic’s position in enterprise Java middleware and VirtualBox’s use in development and virtualized infrastructure make both worth prioritizing in Oracle’s upcoming Critical Patch Update cycle.