CVE Catalog

Actively exploited in the wild

Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability

Oracle — PeopleSoft Enterprise PeopleTools · Listed in the CISA KEV since 2026-06-12. This indicates confirmed attacks in production environments.

Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CVE-2026-35273

CriticalCVSS 9.8KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
22.21%

96th percentile — higher than 96% of all known CVEs

Summary

Vulnerability in the Oracle PeopleSoft PeopleTools product related to Updates Environment Management. Versions 8.61 and 8.62 are susceptible to easily exploitable attacks that can lead to system takeover.

Risk Assessment

An unauthenticated attacker with network access via HTTP can easily compromise PeopleSoft Enterprise PeopleTools, posing a serious threat to the confidentiality, integrity, and availability of data.

Recommendation

It is recommended to immediately update the system to the latest version to mitigate this vulnerability and implement additional security measures, such as restricting access to the system.

Original NVD description (English source)

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS