VDB

CVE-2026-35273

CVE-2026-35273 PUBLISHED KEV CVSS 9.800000190734863 CRITICAL

CVE-2026-35273 is a Missing Authentication for Critical Function vulnerability in the Updates Environment Management component of PeopleSoft which is being exploited by threat actors and APTs (ShinyHunters, Cl0p ransomware group) to execute code remotely and take full control of the PeopleSoft Enterprise PeopleTools system. An unauthenticated, remote attacker without any privileges and without any user interaction, can exploit this low-complexity vulnerability to connect to the system via HTTP to compromise the system, read sensitive data, and modify the system configurations.

EPSS 89.79% · 99.8th percentile

Risk Scores

CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
89.79%
99.8th percentile

Affected Products

VendorProductVersions
OracleOracle PeopleSoft ((Enterprise PeopleTools) versions: 8.61, 8.62

Timeline

  • Jun 11, 2026 Coalition ESS Score
  • Jun 11, 2026 CVE Published
  • Jun 12, 2026 CISA KEV Added
  • Jun 12, 2026 Security Advisory
  • Jun 13, 2026 CVE Updated
  • Jun 24, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›