ESB-2026.6582
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.6582.2 Oracle Security Alert Advisory - CVE-2026-35273 15 June 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: Oracle PeopleSoft Enterprise PeopleTools Publisher: AUSCERT Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2026-35273 Original Bulletin: https://www.oracle.com/security-alerts/alert-cve-2026-35273.html Comment: CVSS (Max): 9.8 CVE-2026-35273 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Oracle Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H The following are listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog: CISA KEV CVE(s): CVE-2026-35273* CISA KEV URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog * Known Ransomware Campaign Use EPSS (Max): 19.8% (95th) CVE-2026-35273 2026-06-14 Revision History: June 15 2026: CVE-2026-35273 added to the CISA KEV Catalog June 12 2026: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Oracle Security Alert Advisory - CVE-2026-35273 Description This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability. This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution. We consider implementation of the recommended mitigations to be a high-priority risk reduction measure and strongly recommend immediate action to address the identified exposure. Oracle always recommends that customers remain on actively-supported versions and apply all Critical Patch Updates, Critical Security Patch Updates and Security Alerts without delay. Affected Products and Mitigation Information Security vulnerability addressed by this Security Alert affect the products listed below. Please click on the links in the Patch Availability Document column below to access the documentation for mitigation information and installation instructions. Affected Products and Versions | Patch Availability Document ----------------------------------------------------------------------------------------- PeopleSoft Enterprise PeopleTools, versions 8.61, 8.62 | PeopleSoft Security Alert Supported Products and Versions Patches and mitigations released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches and mitigations released through the Security Alert program are available for the versions they are currently running. Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions. Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note KB65129. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support. References o Oracle Critical Patch Updates, Critical Security Patch Updates, Security Alerts and Bulletins o Oracle Critical Patch Updates, Critical Security Patch Updates and Security Alerts - Frequently Asked Questions o Risk Matrix Definitions o Use of Common Vulnerability Scoring System (CVSS) by Oracle o English text version of the risk matrices o CSAF JSON version of the risk matrices o Map of CVE to Advisory/Alert o Oracle Lifetime Support Policy o JEP 290 Reference Blocklist Filter Risk Matrix Content Risk matrices list only security vulnerabilities that are newly addressed by these advisories. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories, Critical Security Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here. Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1). Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about conditions required to exploit the vulnerability and the potential impact of a successful exploit. Oracle provides this information so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies. Third party component vulnerabilities that are deemed not exploitable in the context of their inclusion in an Oracle product are listed, with VEX justifications, below the respective Oracle product's risk matrix. The protocol in the risk matrix implies that all of its secure variants are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected. Credit Statement The following people or organizations reported security vulnerability addressed by this Security Alert to Oracle: o Bobby Gould of TrendAI Zero Day Initiative: CVE-2026-35273 o Lucas Miller of TrendAI Research: CVE-2026-35273 o Minh Giang of TrendAI Zero Day Initiative: CVE-2026-35273 Modification History Date Note 2026-June-10 Rev 1. Initial Release. Oracle PeopleSoft Risk Matrix This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here. Remote CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Exploit Supported CVE ID Product Component Protocol without Base Attack Attack Privs User Confid- Inte- Avail- Versions Notes Auth.? Score Vector Complex Req'd Interact Scope entiality grity ability Affected PeopleSoft Updates Un- 8.61, CVE-2026-35273 Enterprise Environment HTTP Yes 9.8 Network Low None None changed High High High 8.62 PeopleTools Management - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| AUSCERT | Oracle PeopleSoft Enterprise PeopleTools |
Timeline
- Jun 12, 2026 CVE Published