CVE-2026-35273
CVE-2026-35273
In short
PeopleSoft Enterprise PeopleTools has a critical flaw that allows anyone on the network to take complete control of the system without needing a password. This is a serious vulnerability because attackers can access, modify, or destroy all data managed by PeopleSoft.
Technical detail
CWE-306 (Missing Authentication Check) vulnerability in PeopleSoft Enterprise PeopleTools 8.61 and 8.62 allows unauthenticated remote attackers to achieve complete system compromise via HTTP requests to the Updates Environment Management component. No credentials or user interaction required; successful exploitation results in full confidentiality, integrity, and availability breach (CVSS 9.8).
Summary generated and translated by AI from the official description.
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Oracle Corporation · PeopleSoft Enterprise PeopleToolspublic PoCs found — 2
githubgithub.com/HORKimhab/CVE-2026-35273★ 4githubgithub.com/0xBlackash/CVE-2026-35273★ 1⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →