CVE-2026-35273
Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability - [Actively Exploited]
Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
INFO
Published Date :
June 11, 2026, 4:16 a.m.
Last Modified :
June 12, 2026, 7:15 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Known Detected Jun 13, 2026
https://www.oracle.com/security-alerts/alert-cve-2026-35273.html ; https://support.oracle.com/signin/ ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-35273
Affected Products
The following products are affected by CVE-2026-35273
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Apply Oracle patches for affected PeopleSoft versions.
- Update PeopleTools to the latest secure version.
- Restrict network access to the environment.
Public PoC/Exploit Available at Github
CVE-2026-35273 has a 10 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-35273.
| URL | Resource |
|---|---|
| https://www.oracle.com/security-alerts/alert-cve-2026-35273.html | Vendor Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273 | Third Party Advisory US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-35273 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-35273
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Python CLI tool to check CVE details + nuclei template coverage. Security research writeups in /research.
Python
None
Python
Gathers information about a CVE
Python Shell HTML
Agentic GraphRAG with clearance-aware retrieval — hybrid vector + knowledge-graph search, a LangGraph planner/critic loop, and a rigorous eval harness. Fully local, open-source models (Qwen3, BGE, Qdrant, Neo4j).
access-control agentic-ai graphrag knowledge-graph langgraph llm neo4j qdrant rag retrieval-augmented-generation
Dockerfile Python Shell
Loginsoft Vulnerability Intelligence ( LOVI )
CVE-2026-35273
Python
CVE-2026-35273
Python
Honeypot documentation for readthedocs.io publication
None
Python
🔍 A simple Bash script to detect malicious JSP webshells, including those used in exploits of SAP NetWeaver CVE-2025-31324.
Shell PowerShell
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-35273 vulnerability anywhere in the article.
-
The Hacker News
Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild
A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber. The vulnerability, tracked as CVE-2026-46817 (CVSS score: 9.8), r ... Read more
-
TheCyberThrone
The Vulnerabilities That Matter in Oracle’s June 2026 CSPU
1. CVE-2026-35273 — PeopleSoft PeopleTools EMHub (the one that actually got people breached)This is the standout, and it’s worth walking through the full timeline because it’s a textbook case of zero- ... Read more
-
Trend Micro
PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM
Cyber Threats A pre-authentication remote code execution (RCE) chain in Oracle PeopleSoft PeopleTools abuses the Integration Broker's PSIGW gateway to execute code inside the application server's Java ... Read more
-
Ars Technica
PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data
“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS,” Mand ... Read more
-
security.nl
'ShinyHunters misbruikte sinds 27 mei zerodaylek in Oracle PeopleSoft'
De criminele groepering ShinyHunters heeft sinds 27 mei misbruik gemaakt van een kritieke kwetsbaarheid in Oracle PeopleSoft waar op het moment van de aanvallen nog geen patch voor beschikbaar was, zo ... Read more
-
TheCyberThrone
Oracle PeopleSoft Zero-Day Exploited by ShinyHunters — 100+ Organizations Breached
CVE-2026-35273 | CVSS 9.8 | Critical | Zero-Day | Active ExploitationOverviewOracle’s PeopleSoft enterprise platform has been the target of a large-scale, coordinated mass-compromise campaign carried ... Read more
-
The Hacker News
ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hard ... Read more
-
Google Cloud
ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
Introduction Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft applicati ... Read more
-
security.nl
ShinyHunters claimt datadiefstal van honderden Oracle PeopleSoft-servers
De criminele groepering ShinyHunters claimt dat het van honderden Oracle PeopleSoft-servers data heeft gestolen. Dat meldt een beveiligingsonderzoeker op X. De aanvallen zijn gericht tegenover zowel ... Read more
-
security.nl
Oracle komt met noodpatch voor kritiek RCE-lek in PeopleSoft
Oracle heeft buiten de vaste patchcyclus om een noodpatch uitgebracht voor een kritieke kwetsbaarheid in PeopleSoft Enterprise PeopleTools waardoor remote code execution (RCE) mogelijk is. Organisatie ... Read more
The following table lists the changes that have been made to the
CVE-2026-35273 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jun. 12, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.61:*:*:*:*:*:*:* *cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.62:*:*:*:*:*:*:* Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273 Types: Third Party Advisory, US Government Resource Added Reference Type Oracle: https://www.oracle.com/security-alerts/alert-cve-2026-35273.html Types: Vendor Advisory -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jun. 12, 2026
Action Type Old Value New Value Added Date Added 2026-06-12 Added Due Date 2026-06-12 Added Required Action 2026-06-12 Added Vulnerability Name 2026-06-12 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 12, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 11, 2026
Action Type Old Value New Value Added CWE CWE-306 -
New CVE Received by [email protected]
Jun. 11, 2026
Action Type Old Value New Value Added Description Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added Reference https://www.oracle.com/security-alerts/alert-cve-2026-35273.html