Skip to main content

PeopleSoft PeopleTools CVE-2026-35276

| EUVDEUVD-2026-37406 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Oracle's vector is consistent with description: remote HTTP reach (AV:N), unauthenticated (PR:N), no UI, but AC:H reflects undisclosed exploitation precondition; full takeover justifies C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:22 vuln.today

DescriptionCVE.org

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Application Server). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Server component, where an unauthenticated attacker with HTTP network access can compromise confidentiality, integrity, and availability. Oracle rates the flaw CVSS 8.1 with high attack complexity, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed PeopleSoft PIA endpoint
Delivery
Probe Application Server via HTTP
Exploit
Send crafted request meeting AC:H precondition
Execution
Trigger flaw in App Server component
Persist
Achieve code execution or auth bypass
Impact
Take over PeopleTools and pivot to database

Vulnerability AssessmentAI

Exploitation Attacker must have network HTTP access to the PeopleSoft Application Server tier (typically fronted by the PIA web server) on a deployment running PeopleTools 8.61 or 8.62; no authentication and no user interaction are required (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and warrant a measured response. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reachable to a PeopleSoft PIA endpoint sends a specially crafted HTTP request to the Application Server tier that, when timing or session-state conditions align, triggers the underlying flaw and yields code execution or data access in the App Server context - leading to full takeover of PeopleTools and downstream access to the PeopleSoft database via the App Server's service account. No POC is currently public, so initial exploitation would require attacker reverse-engineering of the June 2026 CPU patch.
Remediation Apply the fixes shipped in Oracle's June 2026 Critical Patch Update (cspujun2026) - see https://www.oracle.com/security-alerts/cspujun2026.html - which is the vendor-released patch for PeopleTools 8.61 and 8.62; Oracle does not assign individual fix version numbers in CPUs, so customers should install the latest PeopleTools patch level identified in the CPU advisory matrix for their release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Identify all systems running PeopleSoft 8.61/8.62; review access logs for suspicious network activity to the Application Server component. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-35278 CRITICAL
9.8 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor com

CVE-2026-35271 HIGH
8.7 Jun 16

Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic componen

CVE-2026-35272 HIGH
8.4 Jun 16

Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp

CVE-2021-2218 HIGH
8.3 Apr 22

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Health Center). Rated

CVE-2026-35274 HIGH
8.2 Jun 16

Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenti

CVE-2026-35288 HIGH
8.2 Jun 16

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package

CVE-2026-35289 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp

CVE-2026-35279 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Mo

CVE-2019-12402 HIGH
7.5 Aug 30

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop w

CVE-2019-10086 HIGH
7.3 Aug 20

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for a

CVE-2018-2793 MEDIUM
6.2 Apr 19

Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: PsAdmin

CVE-2021-2408 MEDIUM
6.1 Jul 21

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Notification Configur

Share

CVE-2026-35276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy