Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
PIA is HTTP-reachable and Oracle confirms unauthenticated exploitation (AV:N/PR:N/UI:N); Oracle's 'difficult to exploit' language justifies AC:H; takeover of the app yields C:H/I:H/A:H with unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Security). The supported version that is affected is 9.2.38. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Campus Community. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise CS Campus Community. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 is possible via the Security component, where an unauthenticated attacker reaching the application over HTTP can fully compromise confidentiality, integrity, and availability. Oracle scores this 8.1 with high attack complexity, indicating non-trivial preconditions rather than a trivial mass-exploit primitive. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the HTTP/HTTPS interface of a PeopleSoft Enterprise CS Campus Community 9.2.38 deployment and targets the Security component; no valid credentials or user interaction are needed (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) drives the 8.1 score: network reachable and unauthenticated, but with high attack complexity, meaning exploitation depends on conditions outside the attacker's direct control (timing, configuration, or a specific request sequence). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the internet locates a university's PeopleSoft Campus Community self-service portal, then sends a crafted sequence of HTTP requests to the Security component that exploits the specific non-trivial precondition required by the flaw; on success the attacker gains administrative control over the Campus Community application, allowing exfiltration of student/constituent PII, modification of records, or denial of service. Because Oracle marks attack complexity as High, the attacker likely needs to win a race, brute force a token, or hit a specific configuration to succeed, and no public exploit identified at time of analysis means the scenario currently requires original research. |
| Remediation | Patch available per vendor advisory: apply the fixes delivered in the Oracle Critical Patch Update for PeopleSoft published at https://www.oracle.com/security-alerts/cspujun2026.html, which is the authoritative source for the exact patch bundle and post-patch version covering CS Campus Community 9.2.38. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all systems running PeopleSoft CS Campus Community 9.2.38 and restrict HTTP access to the application to trusted networks via firewall rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vulnerability in the PeopleSoft Enterprise CS Campus Community component of Oracle PeopleSoft Products (subcomponent: Fr
Unauthorized data access and manipulation in Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 allows a high-privi
Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Integration and
Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Notification Fra
Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Self-Service). R
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37344