CVE-2026-35273

KEV · ransomware Critical · CVSS 9.8

PeopleSoft Enterprise PeopleTools — Missing Authentication for Critical Function (CWE-306) leading to unauthenticated RCE / full takeover via HTTP

CVSS: 9.8; nvd
EPSS: —
KEV: Listed; ransomware
Class: other; CWE-306

Description

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Search profile — drives PoC discovery

Symbols Updates Environment ManagementPeopleToolsPeopleSoftEM HubEnvironment Management FrameworkEMFpsemhubpiaconfigPIA

Keywords CVE-2026-35273PeopleSoft PeopleTools unauthenticatedPeopleTools 8.61 exploitPeopleTools 8.62 exploitUpdates Environment Management authentication bypassPeopleSoft takeover PoCPeopleSoft CWE-306PeopleSoft EMF unauthenticatedPeopleSoft HTTP exploitOracle PeopleSoft 9.8 CVE

Versions: 8.61, 8.62

Candidate PoCs (2) — discovered, not yet vetted or ranked

HORKimhab/CVE-2026-35273
nomi_sec

★ 2
0xBlackash/CVE-2026-35273
nomi_sec

★ 1

Recall-favoring discovery (nomi-sec + trickest). Vetting + ranking is the Stage-4 scorer.

References

Status: enriched · ingested 2026-06-13T00:00:30.000Z · profiled 2026-06-16T18:20:23.035Z