Description
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-11
Score: 9.8 Critical
EPSS: 92.3% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

A defect in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 allows an unauthenticated attacker with network access over HTTP to execute arbitrary code and ultimately take over the application. This vulnerability is exploited easily and causes loss of confidentiality, integrity, and availability, with the attacker gaining full control of the affected system. The weakness is an authentication bypass, identified as CWE-306. It is inferred that the ability to execute arbitrary code results in remote code execution.

Affected Systems

The affected systems are Oracle Corporation’s PeopleSoft Enterprise PeopleTools, specifically the 8.61 and 8.62 releases.

Risk and Exploitability

This flaw carries a CVSS 3.1 base score of 9.8 and an EPSS score of 92 percent, indicating a high probability of exploitation. It is listed in the CISA KEV catalog, which suggests it has been reported or is actively exploited in the wild. Because the vulnerability can be triggered via an unauthenticated HTTP request, a real‑world attacker could compromise multiple systems with minimal effort.

Generated by OpenCVE AI on June 29, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch for PeopleSoft Enterprise PeopleTools 8.x to address the authentication bypass and code execution flaw.
  • Block or restrict HTTP traffic to the Updates Environment Management interface using network firewalls or ACLs to prevent unauthenticated access.
  • Enable logging and actively monitor PeopleSoft logs for anomalous requests or signs of exploitation, and respond promptly.

Generated by OpenCVE AI on June 29, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in Oracle PeopleSoft PeopleTools Enables Full System Takeover

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in Oracle PeopleSoft PeopleTools Enables Full System Takeover

Wed, 24 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in Oracle PeopleSoft PeopleTools Allows Remote Code Execution

Wed, 24 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in Oracle PeopleSoft PeopleTools Allows Remote Code Execution

Wed, 24 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Unauthorized HTTP-based Exploitation Leading to Remote Code Execution in Oracle PeopleSoft PeopleTools

Tue, 23 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Title Unauthorized HTTP-based Exploitation Leading to Remote Code Execution in Oracle PeopleSoft PeopleTools

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass and Code Execution in PeopleSoft Updates Environment Management

Tue, 23 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass and Code Execution in PeopleSoft Updates Environment Management

Fri, 19 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in Oracle PeopleSoft PeopleTools 8.61/8.62 Enables Remote Code Execution via HTTP

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in Oracle PeopleSoft PeopleTools 8.61/8.62 Enables Remote Code Execution via HTTP

Wed, 17 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Authentication Bypass Leading to Remote Code Execution in PeopleSoft Enterprise PeopleTools 8.61-8.62

Tue, 16 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Authentication Bypass Leading to Remote Code Execution in PeopleSoft Enterprise PeopleTools 8.61-8.62

Sun, 14 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Code Execution in Oracle PeopleSoft PeopleTools

Sat, 13 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Code Execution in Oracle PeopleSoft PeopleTools

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.61:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.62:*:*:*:*:*:*:*

Fri, 12 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Enables Full Takeover of PeopleSoft Enterprise PeopleTools

Fri, 12 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-06-12T00:00:00+00:00', 'dueDate': '2026-06-15T00:00:00+00:00'}


Thu, 11 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Enables Full Takeover of PeopleSoft Enterprise PeopleTools

Thu, 11 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Updates Environment Management
Weaknesses CWE-284
CWE-287

Thu, 11 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Oracle
Oracle peoplesoft Enterprise Peopletools
Vendors & Products Oracle
Oracle peoplesoft Enterprise Peopletools

Thu, 11 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Updates Environment Management
Weaknesses CWE-284
CWE-287

Thu, 11 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Peoplesoft Enterprise Peopletools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-13T03:55:27.796Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35273

cve-icon Vulnrichment

Updated: 2026-06-11T12:01:10.820Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-11T04:16:53.680

Modified: 2026-06-12T19:15:27.297

Link: CVE-2026-35273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T15:00:13Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function