Skip to main content

Oracle PeopleTools EUVDEUVD-2026-37416

| CVE-2026-35288 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
8.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.2 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.2 HIGH

Local Deployment Package abuse needs prior high-privileged logon on the PeopleTools host (AV:L, PR:H), is low-complexity with no user interaction, and crosses scope to other PeopleSoft products with full C/I/A impact.

3.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:28 vuln.today

DescriptionCVE.org

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where PeopleSoft Enterprise PT PeopleTools executes to compromise PeopleSoft Enterprise PT PeopleTools. While the vulnerability is in PeopleSoft Enterprise PT PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package component) allows a high-privileged attacker with logon access to the underlying infrastructure to fully compromise PeopleTools with a scope change that impacts additional products. Oracle rates this CVSS 8.2 and confirms it is easily exploitable once the attacker has the required local privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

The flaw resides in the Deployment Package subsystem of PeopleTools, the middleware/runtime layer that underpins Oracle PeopleSoft applications (HCM, FSCM, Campus Solutions, etc.). Deployment Packages bundle binaries, configuration, and scripts used to install or update PeopleSoft environments, so weaknesses there typically involve trust placed in files, paths, or configuration executed during deployment by privileged service accounts. The CPE confirms the affected component is cpe:2.3:a:oracle_corporation:peoplesoft_enterprise_pt_peopletools, and the CVSS scope change (S:C) signals that exploitation crosses the PeopleTools security authority and can affect adjacent PeopleSoft application products that rely on it. No CWE was assigned, so the precise weakness class (e.g., insecure file handling, path or argument injection during deployment) cannot be confirmed from the provided data.

RemediationAI

Apply the fixes delivered in Oracle's June 2026 Critical Patch Update for PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 as documented at https://www.oracle.com/security-alerts/cspujun2026.html (patch available per vendor advisory; exact post-patch build number is not independently confirmed in the provided data, so consult the CPU readme for the precise PeopleTools patch level). Until the CPU is deployed, compensating controls should focus on the PR:H/AV:L precondition: restrict interactive and service logon on PeopleTools application, app server, and Process Scheduler hosts to a minimal set of named admins, rotate and vault credentials for the PSADMIN/deployment service accounts, and tightly control who can place files into or invoke Deployment Package directories (trade-off: tighter ACLs may break ad-hoc patching workflows and require coordination with the PeopleSoft admin team). Enable OS-level auditing on the Deployment Package paths and on PSADMIN/PSAdmin invocations to detect tampering, accepting the additional log volume as the cost.

CVE-2026-35278 CRITICAL
9.8 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Performance Monitor com

CVE-2026-35271 HIGH
8.7 Jun 16

Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic componen

CVE-2026-35272 HIGH
8.4 Jun 16

Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp

CVE-2021-2218 HIGH
8.3 Apr 22

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Health Center). Rated

CVE-2026-35274 HIGH
8.2 Jun 16

Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenti

CVE-2026-35276 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Se

CVE-2026-35289 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package comp

CVE-2026-35279 HIGH
8.1 Jun 16

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Mo

CVE-2019-12402 HIGH
7.5 Aug 30

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop w

CVE-2019-10086 HIGH
7.3 Aug 20

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for a

CVE-2018-2793 MEDIUM
6.2 Apr 19

Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: PsAdmin

CVE-2021-2408 MEDIUM
6.1 Jul 21

Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Notification Configur

Share

EUVD-2026-37416 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy