VDB
CVE-2026-35273
CVE-2026-35273
PUBLISHED
KEV
CVSS 9.800000190734863 CRITICAL
CVE-2026-35273 is a Missing Authentication for Critical Function vulnerability in the Updates Environment Management component of PeopleSoft which is being exploited by threat actors and APTs (ShinyHunters, Cl0p ransomware group) to execute code remotely and take full control of the PeopleSoft Enterprise PeopleTools system. An unauthenticated, remote attacker without any privileges and without any user interaction, can exploit this low-complexity vulnerability to connect to the system via HTTP to compromise the system, read sensitive data, and modify the system configurations.
EPSS 89.79% · 99.8th percentile
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
89.79%
99.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Oracle PeopleSoft ((Enterprise PeopleTools) versions: 8.61, 8.62 |
Timeline
- Jun 11, 2026 Coalition ESS Score
- Jun 11, 2026 CVE Published
- Jun 12, 2026 CISA KEV Added
- Jun 12, 2026 Security Advisory
- Jun 13, 2026 CVE Updated
- Jun 24, 2026 EPSS Score
References
- https://ccb.belgium.be/advisories/warning-critical-actively-exploited-rce-oracle-peoplesoft-patch-immediately advisory
- https://www.oracle.com/security-alerts/alert-cve-2026-35273.html vendor
- https://github.com/advisories/GHSA-25mw-359m-f6rj technical
- https://nvd.nist.gov/vuln/detail/CVE-2026-35273 technical
- https://nationalcybersecurity.com/oracle-peoplesoft-peopletools-zero-day-cve-2026-35273-actively-exploited-urgent-patch-required-to-prevent-ransomware-and-data-breaches-rescana-ransomware-cybercrime/ technical
- https://dailysecurityreview.com/resources/oracle-peoplesoft-cve-2026-35273-shinyhunters-breaches-100-orgs/ technical
- https://www.mallory.ai/stories/019eb4b0-e6e9-77df-8f57-a9253ca89247 technical