Critical Unauthenticated RCE in Oracle PeopleSoft Enterprise PeopleTools (CVE-2026-35273)

critical-cve-against-infra · active

A critical vulnerability (CVSS 9.8) in Oracle PeopleSoft Enterprise PeopleTools allows an unauthenticated remote attacker with HTTP network access to fully take over the system. Supported versions 8.61 and 8.62 are affected.

Affected packages

Sources

• ghsahttps://github.com/advisories/GHSA-25mw-359m-f6rj
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-35273
• google-searchhttps://www.oracle.com/security-alerts/alert-cve-2026-35273.html
• cisa-kevhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-35273