Description
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Deployment Package component of Oracle PeopleSoft Enterprise PT PeopleTools permits an unauthenticated attacker who can reach the system over HTTPS to bypass authentication controls and gain full control over the application. The vulnerability poses a high‑impact risk, compromising confidentiality, integrity, and availability of the PeopleSoft environment. The weakness corresponds to CWE‑306, indicating inadequate security control.

Affected Systems

Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 are affected. No other versions or variants are listed as vulnerable.

Risk and Exploitability

The CVSS 3.1 base score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need to establish an HTTPS session against the deployment package endpoint; the description indicates that exploitation is difficult, implying that specific inputs or conditions are required, though the exact vector is not detailed.

Generated by OpenCVE AI on June 18, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch or update for PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 available in the June 2026 security alert
  • Restrict HTTPS access to the deployment package endpoint to trusted IP addresses or networks
  • Enforce strong authentication and multi‑factor authentication for all deployment operations

Generated by OpenCVE AI on June 18, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTPS Access Exploitation in Oracle PeopleSoft Deployment Package Enables Full Application Takeover

Thu, 18 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTPS Exploit in PeopleSoft Enterprise PT PeopleTools Deployment Package
Weaknesses CWE-284
CWE-287

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTPS Exploit in PeopleSoft Enterprise PT PeopleTools Deployment Package
Weaknesses CWE-284
CWE-287
CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Deployment Package). Supported versions that are affected are 8.61 and 8.62. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle peoplesoft Enterprise Pt Peopletools
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.61:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.62:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Pt Peopletools
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Peoplesoft Enterprise Pt Peopletools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:13.946Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35289

cve-icon Vulnrichment

Updated: 2026-06-17T13:28:42.090Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:30:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function