Description
Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Company Dir / Org Chart Viewer, Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Human Resources, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-01-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Sensitive HR Data
Action: Patch
AI Analysis

Impact

A vulnerability exists in Oracle PeopleSoft Enterprise HCM Human Resources version 9.2 that permits an unauthenticated attacker to perform unauthorized update, insert, delete, or read operations on certain HR data accessed through the Company Dir / Org Chart Viewer and Employee Snapshot components. The weakness is an improper access control flaw that can lead to partial loss of confidentiality and integrity of organization and employee information, but does not compromise availability or allow code execution.

Affected Systems

The affected system is Oracle PeopleSoft Enterprise HCM Human Resources version 9.2, specifically the Company Dir / Org Chart Viewer and Employee Snapshot components. Only this version is listed as vulnerable; no other PeopleSoft or Oracle products are mentioned.

Risk and Exploitability

With a CVSS 3.1 base score of 6.1, the vulnerability is moderate in severity. The EPSS score is below 1 % and the vulnerability is not listed in CISA's KEV catalog, indicating a low probability of widespread exploitation. Successful exploitation requires an unauthenticated attacker to send a request over HTTP and relies on a human interaction from a user other than the attacker—most likely a social‑engineering or phishing scenario. If such an interaction occurs, the attacker can modify or delete HR data or read restricted information, potentially leading to privacy breaches or disruptive business impact.

Generated by OpenCVE AI on April 18, 2026 at 04:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch or update address for CVE-2026-21961 as published in the official Oracle advisory for PeopleSoft 9.2.
  • Restrict network access to the Company Dir / Org Chart Viewer and Employee Snapshot components so that only authenticated, privileged personnel can reach them; enforce this via firewall or network segmentation or web‑application‑layer controls.
  • Educate end users and administrators about social‑engineering attempts that could exploit this flaw, such as unsolicited links or requests that trigger the affected components, and advise them to verify and validate such requests before interacting.

Generated by OpenCVE AI on April 18, 2026 at 04:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Network Access Enables Unauthorized Changes and Read of Oracle PeopleSoft HR Data

Wed, 21 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Company Dir / Org Chart Viewer, Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Human Resources, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle peoplesoft Enterprise Hcm Human Resources
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_hcm_human_resources:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Hcm Human Resources
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Peoplesoft Enterprise Hcm Human Resources
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T15:51:52.957Z

Reserved: 2026-01-05T18:07:34.714Z

Link: CVE-2026-21961

cve-icon Vulnrichment

Updated: 2026-01-21T15:51:41.396Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:58.987

Modified: 2026-01-29T21:00:03.960

Link: CVE-2026-21961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses