Description
Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Human Resources, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-04-21
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data modification and disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Employee Snapshot component of PeopleSoft Enterprise HCM Human Resources 9.2 and permits a low-privileged attacker with network access over HTTP to perform unauthorized updates, inserts, or deletions of data, as well as read restricted data. The potential impact on confidentiality and integrity is classified as low by the CVSS vector, indicating that attackers can alter or view some data but cannot bring the application offline. The weakness aligns with improper access control, where access permissions are not correctly enforced.

Affected Systems

Oracle Corporation’s PeopleSoft Enterprise HCM Human Resources version 9.2 is affected. The issue impacts the Employee Snapshot component and could potentially cascade to other PeopleSoft products due to a scope change.

Risk and Exploitability

The CVSS Base Score of 5.4 indicates moderate risk. The attack vector is network-based; the attacker requires a low-privileged account, human interaction from a non-attacker user, and the vulnerability does not affect availability. EPSS information is not available and the vulnerability is not listed in CISA’s KEV catalog, so while exploitation is possible, the likelihood is uncertain. The moderate severity and limitation to low-privileged users suggest that patching remains the primary defense.

Generated by OpenCVE AI on April 22, 2026 at 05:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle PeopleSoft Enterprise HCM 9.2 security patch that addresses the Employee Snapshot access control flaw.
  • Restrict network access to the Employee Snapshot endpoint using firewall rules or IP whitelisting to limit exposure to trusted network segments.
  • Implement strict user training and verification procedures to reduce the risk of social engineering that could provide an attacker with the required non-attacker user interaction.

Generated by OpenCVE AI on April 22, 2026 at 05:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title PeopleSoft Employee Snapshot Vulnerability Allows Unauthorized Data Modification
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Human Resources, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle peoplesoft Enterprise Hcm Human Resources
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_hcm_human_resources:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Hcm Human Resources
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Peoplesoft Enterprise Hcm Human Resources
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T14:14:22.474Z

Reserved: 2026-01-05T18:07:34.726Z

Link: CVE-2026-22006

cve-icon Vulnrichment

Updated: 2026-04-22T14:14:14.831Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:26.240

Modified: 2026-04-22T15:16:12.557

Link: CVE-2026-22006

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:30:09Z

Weaknesses