cbcvebase.
CVE-2026-35278
published 2026-06-17

CVE-2026-35278: Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Performance Monitor). Supported versions that are affected…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.58%
43.1th percentile
Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: Performance Monitor). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Affected

4 ranges
VendorProductVersion rangeFixed in
oraclepeoplesoft_enterprise_pt_peopletools
oraclepeoplesoft_enterprise_pt_peopletools
oracle_corporationpeoplesoft_enterprise_pt_peopletools
oracle_corporationpeoplesoft_enterprise_pt_peopletools

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-35278 affects PeopleSoft Enterprise PT PeopleTools Performance Monitor component; target versions 8.61 and 8.62 accessible over HTTP without authentication (unauthenticated network attack vector)
  • Successful exploitation leads to full system takeover (RCE); monitor PeopleSoft Performance Monitor HTTP endpoints for anomalous unauthenticated requests
  • CVSS 3.1 score 9.8 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — no privileges or user interaction required, low attack complexity; prioritize detection and patching
  • ·Only PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 are confirmed affected; scope exploitation detection efforts to these versions
  • ·Vulnerability resides specifically in the Performance Monitor component of PeopleTools; focus monitoring and patch verification on that component

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvelistv5v3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.