CVE-2026-35273 - Vulnerability Details

- Remote Code Execution via Updates Environment Management

Description

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Published: 2026-06-11

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A defect in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools enables an unauthenticated attacker with network access over HTTP to execute arbitrary code and ultimately take over the application. The vulnerability is easily exploitable and, once triggered, compromises confidentiality, integrity, and availability, giving the attacker full control of the affected system. The weakness is a classic example of improper access control that allows execution of privileged functions without proper authorization.

Affected Systems

Oracle Corporation’s PeopleSoft Enterprise PeopleTools, specifically versions 8.61 and 8.62, are impacted. These products are used by enterprises for HR, finance, and other critical business functions.

Risk and Exploitability

With a CVSS 3.1 base score of 9.8, this flaw is considered critical. The EPSS score is not available, but the fact that the vulnerability is exploitable over an open HTTP interface and requires no authentication or user interaction means a real‑world attacker could potentially compromise multiple systems with minimal effort. The vulnerability is not yet listed in the CISA KEV catalog, although it remains an urgent concern due to its high severity and availability of network access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

PeopleSoft Enterprise PeopleTools

affected

Version	Status	Constraints
`8.61`	affected	—
`8.62`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Peoplesoft Enterprise Peopletools

87%

Version	Status	Scheme	Platform
`8.61`	affected	generic	—
`8.62`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official Oracle patch that addresses CVE-2026-35273 as soon as it is released.
Restrict HTTP traffic to the Updates Environment Management interface using firewalls or ACLs to prevent unauthenticated access.
Continuously monitor PeopleSoft logs for signs of unauthorized activity or suspicious requests.

Generated by OpenCVE AI on June 11, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/alert-cve-2026-35273.html

History

Thu, 11 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-306
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 11 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oracle Oracle peoplesoft Enterprise Peopletools
Vendors & Products		Oracle Oracle peoplesoft Enterprise Peopletools

Thu, 11 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Title		Remote Code Execution via Updates Environment Management
Weaknesses		CWE-284 CWE-287

Thu, 11 Jun 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
References		https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Oracle Peoplesoft Enterprise Peopletools

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-11T02:25:15.375Z

Updated: 2026-06-11T12:01:15.533Z

Reserved: 2026-04-01T20:03:40.835Z

Link: CVE-2026-35273

Vulnrichment

Updated: 2026-06-11T12:01:10.820Z

NVD

Status : Received

Published: 2026-06-11T04:16:53.680

Modified: 2026-06-11T13:16:32.773

Link: CVE-2026-35273

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-11T10:30:11Z

Weaknesses

CWE-284
Improper Access Control
CWE-287
Improper Authentication
CWE-306
Missing Authentication for Critical Function

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object