Known Exploited Vulnerability
9.8
CRITICAL CVSS 3.1
CVE-2026-35273
Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability - [Actively Exploited]
Description

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

INFO

Published Date :

June 11, 2026, 4:16 a.m.

Last Modified :

June 12, 2026, 7:15 p.m.

Remotely Exploit :

Yes !
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.

Required Action :

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Known Ransomware Campaign Use:

Known Detected Jun 13, 2026

Notes :

https://www.oracle.com/security-alerts/alert-cve-2026-35273.html ; https://support.oracle.com/signin/ ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-35273

Affected Products

The following products are affected by CVE-2026-35273 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Oracle peoplesoft_enterprise_peopletools
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL [email protected]
Solution
Exploitable vulnerability compromises PeopleSoft Enterprise PeopleTools. Apply Oracle patches immediately for affected versions.
  • Apply Oracle patches for affected PeopleSoft versions.
  • Update PeopleTools to the latest secure version.
  • Restrict network access to the environment.
Public PoC/Exploit Available at Github

CVE-2026-35273 has a 10 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-35273.

URL Resource
https://www.oracle.com/security-alerts/alert-cve-2026-35273.html Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273 Third Party Advisory US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-35273 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Python CLI tool to check CVE details + nuclei template coverage. Security research writeups in /research.

Python

Updated: 1 day, 12 hours ago
0 stars 0 fork 0 watcher
Born at : June 28, 2026, 1:27 p.m. This repo has been linked 14 different CVEs too.

None

Python

Updated: 5 days, 16 hours ago
0 stars 0 fork 0 watcher
Born at : June 26, 2026, 5:21 a.m. This repo has been linked 1 different CVEs too.

Gathers information about a CVE

Python Shell HTML

Updated: 6 days, 2 hours ago
0 stars 0 fork 0 watcher
Born at : June 25, 2026, 7:09 p.m. This repo has been linked 2 different CVEs too.

Agentic GraphRAG with clearance-aware retrieval — hybrid vector + knowledge-graph search, a LangGraph planner/critic loop, and a rigorous eval harness. Fully local, open-source models (Qwen3, BGE, Qdrant, Neo4j).

access-control agentic-ai graphrag knowledge-graph langgraph llm neo4j qdrant rag retrieval-augmented-generation

Dockerfile Python Shell

Updated: 4 days, 8 hours ago
1 stars 0 fork 0 watcher
Born at : June 25, 2026, 9:51 a.m. This repo has been linked 1 different CVEs too.

Loginsoft Vulnerability Intelligence ( LOVI )

Updated: 16 hours, 42 minutes ago
0 stars 0 fork 0 watcher
Born at : June 24, 2026, 9:23 a.m. This repo has been linked 2 different CVEs too.

CVE-2026-35273

Python

Updated: 2 weeks, 5 days ago
1 stars 1 fork 1 watcher
Born at : June 12, 2026, 9:19 a.m. This repo has been linked 1 different CVEs too.

CVE-2026-35273

Python

Updated: 2 weeks, 5 days ago
1 stars 0 fork 0 watcher
Born at : June 12, 2026, 1:51 a.m. This repo has been linked 1 different CVEs too.

Honeypot documentation for readthedocs.io publication

Updated: 2 weeks, 5 days ago
0 stars 0 fork 0 watcher
Born at : June 11, 2026, 5:20 p.m. This repo has been linked 2 different CVEs too.

None

Python

Updated: 2 weeks, 5 days ago
0 stars 0 fork 0 watcher
Born at : May 18, 2026, 6:49 a.m. This repo has been linked 1 different CVEs too.

🔍 A simple Bash script to detect malicious JSP webshells, including those used in exploits of SAP NetWeaver CVE-2025-31324.

Shell PowerShell

Updated: 2 weeks, 5 days ago
1 stars 0 fork 0 watcher
Born at : April 30, 2025, 3:38 p.m. This repo has been linked 2 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-35273 vulnerability anywhere in the article.

  • The Hacker News
Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild

A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber. The vulnerability, tracked as CVE-2026-46817 (CVSS score: 9.8), r ... Read more

Published Date: Jun 30, 2026 (1 day, 16 hours ago)
  • TheCyberThrone
The Vulnerabilities That Matter in Oracle’s June 2026 CSPU

1. CVE-2026-35273 — PeopleSoft PeopleTools EMHub (the one that actually got people breached)This is the standout, and it’s worth walking through the full timeline because it’s a textbook case of zero- ... Read more

Published Date: Jun 19, 2026 (1 week, 5 days ago)
  • Trend Micro
PeopleSoft PeopleTools Pre-Authentication RCE: A PSIGW SSRF Chain That Executes Inside the JVM

Cyber Threats A pre-authentication remote code execution (RCE) chain in Oracle PeopleSoft PeopleTools abuses the Integration Broker's PSIGW gateway to execute code inside the application server's Java ... Read more

Published Date: Jun 18, 2026 (1 week, 6 days ago)
  • Ars Technica
PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data

“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS,” Mand ... Read more

Published Date: Jun 12, 2026 (2 weeks, 5 days ago)
  • security.nl
'ShinyHunters misbruikte sinds 27 mei zerodaylek in Oracle PeopleSoft'

De criminele groepering ShinyHunters heeft sinds 27 mei misbruik gemaakt van een kritieke kwetsbaarheid in Oracle PeopleSoft waar op het moment van de aanvallen nog geen patch voor beschikbaar was, zo ... Read more

Published Date: Jun 12, 2026 (2 weeks, 5 days ago)
  • TheCyberThrone
Oracle PeopleSoft Zero-Day Exploited by ShinyHunters — 100+ Organizations Breached

CVE-2026-35273 | CVSS 9.8 | Critical | Zero-Day | Active ExploitationOverviewOracle’s PeopleSoft enterprise platform has been the target of a large-scale, coordinated mass-compromise campaign carried ... Read more

Published Date: Jun 12, 2026 (2 weeks, 5 days ago)
  • The Hacker News
ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities

The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hard ... Read more

Published Date: Jun 11, 2026 (2 weeks, 6 days ago)
  • Google Cloud
ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit

Introduction Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft applicati ... Read more

Published Date: Jun 11, 2026 (2 weeks, 6 days ago)
  • security.nl
ShinyHunters claimt datadiefstal van honderden Oracle PeopleSoft-servers

De criminele groepering ShinyHunters claimt dat het van honderden Oracle PeopleSoft-servers data heeft gestolen. Dat meldt een beveiligingsonderzoeker op X. De aanvallen zijn gericht tegenover zowel ... Read more

Published Date: Jun 11, 2026 (2 weeks, 6 days ago)
  • security.nl
Oracle komt met noodpatch voor kritiek RCE-lek in PeopleSoft

Oracle heeft buiten de vaste patchcyclus om een noodpatch uitgebracht voor een kritieke kwetsbaarheid in PeopleSoft Enterprise PeopleTools waardoor remote code execution (RCE) mogelijk is. Organisatie ... Read more

Published Date: Jun 11, 2026 (2 weeks, 6 days ago)

The following table lists the changes that have been made to the CVE-2026-35273 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Jun. 12, 2026

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.61:*:*:*:*:*:*:* *cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.62:*:*:*:*:*:*:*
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273 Types: Third Party Advisory, US Government Resource
    Added Reference Type Oracle: https://www.oracle.com/security-alerts/alert-cve-2026-35273.html Types: Vendor Advisory
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Jun. 12, 2026

    Action Type Old Value New Value
    Added Date Added 2026-06-12
    Added Due Date 2026-06-12
    Added Required Action 2026-06-12
    Added Vulnerability Name 2026-06-12
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jun. 12, 2026

    Action Type Old Value New Value
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jun. 11, 2026

    Action Type Old Value New Value
    Added CWE CWE-306
  • New CVE Received by [email protected]

    Jun. 11, 2026

    Action Type Old Value New Value
    Added Description Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added Reference https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.