Description
Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Security). The supported version that is affected is 9.2.38. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Campus Community. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise CS Campus Community. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Security component of Oracle PeopleSoft Enterprise CS Campus Community and allows an unauthenticated attacker with network access via HTTP to gain complete control of the application. The flaw grants full confidentiality, integrity and availability compromise, resulting in a total takeover of the PeopleSoft instance. The weakness stems from a code injection flaw that allows execution of arbitrary code without authentication.

Affected Systems

Oracle Corporation's PeopleSoft Enterprise CS Campus Community version 9.2.38 is affected. No other versions or vendors are listed as impacted.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity attack with potential for loss of all data and service availability. The EPSS score of < 1% shows that exploitation is currently considered rare, but the lack of KEV listing does not reduce the inherent risk. Likely attack vector is an HTTP request sent to the vulnerable endpoint without authentication, exploiting a code injection flaw to execute arbitrary code and gain full application control.

Generated by OpenCVE AI on June 19, 2026 at 00:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch for PeopleSoft Enterprise CS Campus Community 9.2.38 immediately.
  • If a patch is not yet available, restrict HTTP access to the application by implementing firewall rules or VPN‑only connectivity to deny external unauthenticated traffic.
  • Ensure proper input validation and sanitization of user-supplied data to prevent code injection, or disable vulnerable features that allow arbitrary code execution.

Generated by OpenCVE AI on June 19, 2026 at 00:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Exploit Allowing Full Control of PeopleSoft Enterprise CS Campus Community
Weaknesses CWE-284
CWE-853

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Exploit Allowing Full Control of PeopleSoft Enterprise CS Campus Community
Weaknesses CWE-284
CWE-853
CWE-94
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the PeopleSoft Enterprise CS Campus Community product of Oracle PeopleSoft (component: Security). The supported version that is affected is 9.2.38. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Campus Community. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise CS Campus Community. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle peoplesoft Enterprise Cs Campus Community
CPEs cpe:2.3:a:oracle:peoplesoft_enterprise_cs_campus_community:9.2.38:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle peoplesoft Enterprise Cs Campus Community
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Peoplesoft Enterprise Cs Campus Community
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-23T03:55:52.879Z

Reserved: 2026-05-18T15:55:10.306Z

Link: CVE-2026-46851

cve-icon Vulnrichment

Updated: 2026-06-17T14:10:20.625Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:15:03Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')