Description
Vulnerability in the PeopleSoft Enterprise HCM Shared Components product of Oracle PeopleSoft (component: Person Search). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Shared Components. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Shared Components, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Shared Components accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Shared Components accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-04-21
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data modification and read via privilege escalation
Action: Apply Patch
AI Analysis

Impact

This vulnerability in the Oracle PeopleSoft Enterprise HCM Shared Components allows a low‑privileged attacker who can reach the application over HTTP to manipulate data. The flaw resides in the Person Search component and requires the cooperation of a user other than the attacker. When successfully exploited, the attacker can insert, update, or delete data, as well as read restricted data, thereby breaching confidentiality and integrity of the application and potentially the underlying database.

Affected Systems

Oracle Corporation’s PeopleSoft Enterprise HCM Shared Components, version 9.2, is affected. Because the vulnerability can change scope, other integrated PeopleSoft products that rely on the shared components may also be impacted if they do not enforce proper access controls.

Risk and Exploitability

The CVSS 3.1 base score of 5.4 indicates moderate severity with impacts to confidentiality and integrity. The EPSS score is not available, suggesting limited public exploitation data. The flaw is not listed in the CISA KEV catalog. The likely attack vector is a network‑based HTTP request. Successful exploits require a low‑privileged attacker and a victim user’s interaction, but the presence of scope changes raises the potential for broader impact across related products.

Generated by OpenCVE AI on April 22, 2026 at 05:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Oracle for the latest security update for PeopleSoft Enterprise HCM Shared Components 9.2 and apply the official patch immediately
  • Restrict network access to the PeopleSoft components to trusted users and disable the HTTP endpoints that expose the Person Search functionality if not required
  • Institute strict access controls and review database permissions for the shared components to prevent unauthorized insert, update, or delete operations

Generated by OpenCVE AI on April 22, 2026 at 05:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title HTTP‑based Privilege‑Escalation and Data Manipulation in Oracle PeopleSoft HCM Shared Components
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise HCM Shared Components product of Oracle PeopleSoft (component: Person Search). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Shared Components. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Shared Components, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Shared Components accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Shared Components accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle peoplesoft Enterprise Hcm Shared Components
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_hcm_shared_components:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Hcm Shared Components
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Peoplesoft Enterprise Hcm Shared Components
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T14:00:01.536Z

Reserved: 2026-01-05T18:07:34.731Z

Link: CVE-2026-22019

cve-icon Vulnrichment

Updated: 2026-04-22T13:59:53.326Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:29.030

Modified: 2026-04-22T14:16:35.290

Link: CVE-2026-22019

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:15:06Z

Weaknesses