Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Network-reachable HTTP with no auth or user interaction (AV:N/PR:N/UI:N), non-trivial conditions per Oracle (AC:H), scope change to other PeopleSoft data (S:C/C:H/I:H), no availability impact (A:N).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Weblogic). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. While the vulnerability is in PeopleSoft Enterprise PT PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PT PeopleTools accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise PT PeopleTools accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).
AnalysisAI
Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic component allows attackers with HTTP access to read and modify critical data across PeopleTools and additional products in scope. Oracle rates the issue 8.7 CVSS 3.1 with high attack complexity but no privileges or user interaction, and the scope-change flag means impact extends beyond PeopleTools itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
PeopleSoft Enterprise PT PeopleTools is the application development and runtime platform that underpins Oracle PeopleSoft applications (HCM, FSCM, Campus Solutions, etc.), and it is delivered on top of Oracle WebLogic Server, which Oracle identifies as the affected component here. The CPE cpe:2.3:a:oracle_corporation:peoplesoft_enterprise_pt_peopletools covers all versions but Oracle's advisory text scopes the issue to 8.61 and 8.62. The 'Authentication Bypass' tag combined with PR:N in the CVSS vector suggests the WebLogic-fronted PeopleTools HTTP surface fails to properly enforce an authentication or authorization check, letting an unauthenticated HTTP request reach functionality that should be gated; no CWE was assigned by the source, so the precise weakness class (CWE-287 vs CWE-306 vs CWE-863) is inferred rather than confirmed.
RemediationAI
Apply the Oracle Critical Patch Update of June 2026 for PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - patch available per vendor advisory, with exact post-patch build numbers to be taken from Oracle My Oracle Support since no specific fixed version string is provided in the input data. Until the CPU is deployed, restrict inbound HTTP/HTTPS reachability to the PeopleTools WebLogic listener so only trusted networks (VPN, jump hosts, corporate IP ranges) can reach the application, and place a WAF or reverse proxy in front to enforce authentication on portal entry points; note that aggressive URL filtering can break PeopleSoft integration brokers and IB-based interfaces, so test integration endpoints before tightening rules. Auditing WebLogic and PeopleTools access logs for anomalous unauthenticated HTTP requests is a reasonable interim detection measure given the authentication-bypass tag.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor com
Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Health Center). Rated
Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenti
Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Se
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Mo
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop w
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for a
Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: PsAdmin
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Notification Configur
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37402