Skip to main content

Oracle PeopleTools CVE-2026-35288

| EUVDEUVD-2026-37416 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
8.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.2 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.2 HIGH

Local Deployment Package abuse needs prior high-privileged logon on the PeopleTools host (AV:L, PR:H), is low-complexity with no user interaction, and crosses scope to other PeopleSoft products with full C/I/A impact.

3.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:28 vuln.today

DescriptionCVE.org

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where PeopleSoft Enterprise PT PeopleTools executes to compromise PeopleSoft Enterprise PT PeopleTools. While the vulnerability is in PeopleSoft Enterprise PT PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package component) allows a high-privileged attacker with logon access to the underlying infrastructure to fully compromise PeopleTools with a scope change that impacts additional products. Oracle rates this CVSS 8.2 and confirms it is easily exploitable once the attacker has the required local privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privileged logon to PeopleTools host
Delivery
Locate Deployment Package component
Exploit
Tamper with deployment artifacts or invocation
Execution
Trigger execution under PeopleTools service identity
Persist
Cross scope into adjacent PeopleSoft products
Impact
Full takeover of PeopleTools and connected apps

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) interactive or service logon to the infrastructure host where PeopleSoft Enterprise PT PeopleTools 8.61 or 8.62 actually executes - typically the PeopleTools application server, Process Scheduler, or PIA mid-tier - and (2) high pre-existing privileges on that host such as the PSADMIN/PeopleSoft service account, a local administrator, or root, as confirmed by the CVSS AV:L and PR:H metrics. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a real but constrained priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A PeopleSoft administrator account is compromised through credential theft or a malicious insider abuses their existing access; the attacker logs onto the PeopleTools mid-tier server and manipulates Deployment Package content or invocation to execute attacker-controlled logic under the PeopleTools service identity. Because the vulnerability triggers a CVSS scope change, the attacker then pivots from PeopleTools into the broader PeopleSoft application stack (e.g., HCM or FSCM) to read or alter HR, financial, or student data. …
Remediation Apply the fixes delivered in Oracle's June 2026 Critical Patch Update for PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 as documented at https://www.oracle.com/security-alerts/cspujun2026.html (patch available per vendor advisory; exact post-patch build number is not independently confirmed in the provided data, so consult the CPU readme for the precise PeopleTools patch level). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all production systems running PeopleSoft Enterprise 8.61 or 8.62 and restrict local infrastructure access to essential personnel with documented approval. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-35278 CRITICAL
9.8 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor com

CVE-2026-35271 HIGH
8.7 Jun 16

Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic componen

CVE-2026-35272 HIGH
8.4 Jun 16

Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp

CVE-2021-2218 HIGH
8.3 Apr 22

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Health Center). Rated

CVE-2026-35274 HIGH
8.2 Jun 16

Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenti

CVE-2026-35276 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Se

CVE-2026-35289 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp

CVE-2026-35279 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Mo

CVE-2019-12402 HIGH
7.5 Aug 30

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop w

CVE-2019-10086 HIGH
7.3 Aug 20

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for a

CVE-2018-2793 MEDIUM
6.2 Apr 19

Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: PsAdmin

CVE-2021-2408 MEDIUM
6.1 Jul 21

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Notification Configur

Share

CVE-2026-35288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy