Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable HTTPS deployment endpoint with no auth or user interaction (AV:N/PR:N/UI:N), full takeover impact (C:H/I:H/A:H), and Oracle-stated difficulty justifies AC:H; scope unchanged within PeopleTools.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, allowing an unauthenticated network attacker to fully compromise confidentiality, integrity, and availability of the application. Oracle rates this as difficult to exploit (AC:H) but assigns a CVSS 3.1 score of 8.1 due to the complete takeover impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Technical ContextAI
PeopleSoft PeopleTools is the underlying application development and runtime framework that powers Oracle's PeopleSoft Enterprise suite (HCM, Financials, Campus Solutions, etc.), providing the web/application/batch server tier and administrative tooling. The vulnerable Deployment Package component handles bundling and distribution of PeopleSoft customizations, patches, and application artifacts across environments. The affected CPE is cpe:2.3:a:oracle_corporation:peoplesoft_enterprise_pt_peopletools, specifically versions 8.61 and 8.62. CWE is not assigned by Oracle, which is consistent with their advisory practice of not classifying root cause publicly, but the network-reachable HTTPS attack surface combined with full C/I/A impact suggests an unauthenticated remote code execution or authentication bypass in the deployment workflow.
RemediationAI
Patch available per vendor advisory: apply the Oracle June 2026 Critical Patch Update fixes for PeopleSoft PT PeopleTools 8.61 and 8.62 as documented at https://www.oracle.com/security-alerts/cspujun2026.html (exact patched build numbers are listed in the CPU matrix and should be cross-referenced against your current PeopleTools release). Until patching is complete, restrict network reachability to PeopleSoft administrative and Deployment Package endpoints to trusted management networks via firewall ACLs or reverse-proxy allowlists, and place the PeopleSoft web tier behind a WAF tuned to inspect HTTPS traffic to PIA and deployment URIs - be aware this will not stop attacks originating from trusted segments and may interfere with legitimate Change Assistant or Lifecycle Management traffic if rules are too aggressive. Increase logging and alerting on the application server and PIA layers to detect anomalous Deployment Package activity. Avoid exposing PeopleSoft administrative interfaces to the public internet as a longer-term hardening step.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor com
Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic componen
Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Health Center). Rated
Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenti
Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Se
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Mo
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop w
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for a
Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: PsAdmin
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Notification Configur
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37417