CVE-2026-35273 | Vulnerability in the PeopleSoft Enterprise PeopleTools produ… | CVSS 9.8 CRITICAL

Description

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metadata

CVE ID: CVE-2026-35273
State: PUBLISHED
Assigner: oracle
Reserved: 2026-04-01 20:03 UTC
Published: 2026-06-11 02:25 UTC
Last updated: 2026-06-13 03:55 UTC
Primary CWE: CWE-306
CWE-306 Missing Authentication for Critical Function
Vendor / Product: Oracle Corporation / PeopleSoft Enterprise PeopleTools
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: ACTIVE
Automatable: yes
Tech. Impact: total

CISA Known Exploited Vulnerability

Vulnerability name: Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
Vendor: Oracle
Product: PeopleSoft Enterprise PeopleTools
Added to KEV: 2026-06-12
Due date: 2026-06-15
Ransomware: Known use

Required action

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CISA description

Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.

Affected products (1)

Vendor	Product	Platform	Versions
Oracle Corporation	PeopleSoft Enterprise PeopleTools	—	8.61, 8.62

Weakness (CWE)

CWE	Source	Description
—	cna	Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVS
CWE-306	adp	CWE-306 Missing Authentication for Critical Function

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

Oracle Advisory https://www.oracle.com/security-alerts/alert-cve-2026-35273.html