Skip to main content

PeopleSoft PeopleTools EUVDEUVD-2026-37407

| CVE-2026-35278 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle states unauthenticated HTTP-reachable Performance Monitor flaw yielding takeover, so AV:N/AC:L/PR:N/UI:N with full C:H/I:H/A:H and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:23 vuln.today

DescriptionCVE.org

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Performance Monitor). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor component, allowing unauthenticated network attackers to fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 9.8 critical and describes it as easily exploitable over HTTP, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed PeopleSoft web tier
Delivery
Probe Performance Monitor HTTP endpoint
Exploit
Send crafted unauthenticated PPM request
Execution
Exploit PeopleTools flaw for takeover
Persist
Execute commands in PeopleTools context
Impact
Pivot to PeopleSoft database and HR/finance data

Vulnerability AssessmentAI

Exploitation The PeopleSoft Enterprise PT PeopleTools Performance Monitor component must be reachable by the attacker over HTTP/HTTPS, and the deployment must be running PeopleTools 8.61 or 8.62 with PPM enabled (it is enabled by default on standard PeopleTools web profiles). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to high real-world risk: CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N with S:U and C:H/I:H/A:H means a remote, unauthenticated, low-complexity HTTP request yields full takeover, and Oracle's own advisory text labels it 'easily exploitable.' Countering that, the issue is not listed in CISA KEV, no public POC is referenced in the provided intelligence, no EPSS score was supplied, and no CWE/SSVC decision data is available, so weaponization status is currently unknown. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the PeopleSoft web tier over the internet or an internal network sends a single crafted HTTP request to the Performance Monitor endpoint and, with no credentials or user interaction, obtains takeover-level control of the PeopleTools application, enabling data exfiltration from PeopleSoft modules (HR, finance, student records) and lateral movement into the Oracle database tier. No public exploit identified at time of analysis, but Oracle's 'easily exploitable' wording and the AV:N/AC:L/PR:N/UI:N vector imply a reliable one-shot exploit is feasible once the bug is reverse-engineered from the CPU patch.
Remediation Patch available per vendor advisory: apply the fixes shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) to PeopleTools 8.61 and 8.62 as the primary remediation, since no specific fixed patch level is enumerated in the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running PeopleSoft Enterprise PT PeopleTools 8.61-8.62 and assess criticality; restrict network access to Performance Monitor component via firewall rules; disable Performance Monitor service if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-35271 HIGH
8.7 Jun 16

Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic componen

CVE-2026-35272 HIGH
8.4 Jun 16

Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp

CVE-2021-2218 HIGH
8.3 Apr 22

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Health Center). Rated

CVE-2026-35274 HIGH
8.2 Jun 16

Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenti

CVE-2026-35288 HIGH
8.2 Jun 16

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package

CVE-2026-35276 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Se

CVE-2026-35289 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp

CVE-2026-35279 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Mo

CVE-2019-12402 HIGH
7.5 Aug 30

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop w

CVE-2019-10086 HIGH
7.3 Aug 20

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for a

CVE-2018-2793 MEDIUM
6.2 Apr 19

Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: PsAdmin

CVE-2021-2408 MEDIUM
6.1 Jul 21

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Notification Configur

Share

EUVD-2026-37407 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy