Skip to main content

Oracle PeopleSoft CVE-2026-46851

| EUVDEUVD-2026-37344 HIGH
Code Injection (CWE-94)
2026-06-16 oracle
8.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

PIA is HTTP-reachable and Oracle confirms unauthenticated exploitation (AV:N/PR:N/UI:N); Oracle's 'difficult to exploit' language justifies AC:H; takeover of the app yields C:H/I:H/A:H with unchanged scope.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:45 vuln.today

DescriptionCVE.org

Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Security). The supported version that is affected is 9.2.38. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Campus Community. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise CS Campus Community. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 is possible via the Security component, where an unauthenticated attacker reaching the application over HTTP can fully compromise confidentiality, integrity, and availability. Oracle scores this 8.1 with high attack complexity, indicating non-trivial preconditions rather than a trivial mass-exploit primitive. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed PeopleSoft CS portal
Delivery
Probe Security component endpoints
Exploit
Send crafted HTTP request sequence
Execution
Bypass authentication checks
Persist
Gain administrative control of Campus Community
Impact
Exfiltrate or alter student records

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the HTTP/HTTPS interface of a PeopleSoft Enterprise CS Campus Community 9.2.38 deployment and targets the Security component; no valid credentials or user interaction are needed (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) drives the 8.1 score: network reachable and unauthenticated, but with high attack complexity, meaning exploitation depends on conditions outside the attacker's direct control (timing, configuration, or a specific request sequence). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the internet locates a university's PeopleSoft Campus Community self-service portal, then sends a crafted sequence of HTTP requests to the Security component that exploits the specific non-trivial precondition required by the flaw; on success the attacker gains administrative control over the Campus Community application, allowing exfiltration of student/constituent PII, modification of records, or denial of service. Because Oracle marks attack complexity as High, the attacker likely needs to win a race, brute force a token, or hit a specific configuration to succeed, and no public exploit identified at time of analysis means the scenario currently requires original research.
Remediation Patch available per vendor advisory: apply the fixes delivered in the Oracle Critical Patch Update for PeopleSoft published at https://www.oracle.com/security-alerts/cspujun2026.html, which is the authoritative source for the exact patch bundle and post-patch version covering CS Campus Community 9.2.38. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all systems running PeopleSoft CS Campus Community 9.2.38 and restrict HTTP access to the application to trusted networks via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46851 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy