Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN618
_____________________________________________________________________

DATE                : 11/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PeopleSoft Enterprise PeopleTools
                                versions 8.61, 8.62.

=====================================================================
https://blogs.oracle.com/security/security-alert-cve-2026-35273-released
https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
_____________________________________________________________________

Security Alert CVE-2026-35273 Released
June 11, 2026

Profile picture of Integrated Cyber Center (ICC) Integrated Cyber
Center (ICC)

Oracle has just released Security Alert CVE-2026-35273. This
vulnerability affects PeopleSoft Enterprise PeopleTools. This
vulnerability has a CVSS v3.1 Base Score of 9.8. If successfully
exploited, this vulnerability may result in remote code execution.

Oracle customers should refer to the Security Alert Advisory for
detailed guidance.

For more information:

Security Alert CVE-2026-35273 is published at
https://www.oracle.com/security-alerts/alert-cve-2026-35273.html

Authors

Integrated Cyber Center (ICC)

Oracle’s Integrated Cyber Center (ICC) serves as the enterprise hub
for orchestrating Oracle’s global incident response, customer trust,
and strategic security communications. By unifying people, processes,
and intelligence across the organization, the ICC ensures Oracle
operates as one enterprise with one voice—protecting customers,
strengthening transparency, and driving continuous evolution of
our collective security posture.

_____________________________________________________________________

Oracle Security Alert Advisory - CVE-2026-35273
Description

This Security Alert addresses vulnerability CVE-2026-35273 in Oracle
PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications
customers may also be affected by this vulnerability. This
vulnerability is remotely exploitable without authentication. If
successfully exploited, this vulnerability may result in remote
code execution.

We consider implementation of the recommended mitigations to be a
high-priority risk reduction measure and strongly recommend immediate
action to address the identified exposure. Oracle always recommends
that customers remain on actively-supported versions and apply
all Critical Patch Updates, Critical Security Patch Updates and
Security Alerts without delay.


Affected Products and Mitigation Information

Security vulnerability addressed by this Security Alert affect the
products listed below.

Please click on the links in the Patch Availability Document column
below to access the documentation for mitigation information and
installation instructions.

Affected Products and Versions         Patch Availability Document

PeopleSoft Enterprise PeopleTools, versions 8.61, 8.62         PeopleSoft
Security Alert Supported Products and Versions

Patches and mitigations released through the Security Alert program
are provided only for product versions that are covered under the
Premier Support or Extended Support phases of the Lifetime Support
Policy. Oracle recommends that customers plan product upgrades to
ensure that patches and mitigations released through the Security
Alert program are available for the versions they are currently
running.

Product releases that are not under Premier Support or Extended
Support are not tested for the presence of vulnerabilities addressed
by this Security Alert. However, it is likely that earlier versions
of affected releases are also affected by these vulnerabilities.
As a result, Oracle recommends that customers upgrade to supported
versions.

Database, Fusion Middleware, Oracle Enterprise Manager products
are patched in accordance with the Software Error Correction
Support Policy explained in My Oracle Support Note KB65129.
Please review the Technical Support Policies for further
guidelines regarding support policies and phases of support.


References

    Oracle Critical Patch Updates, Critical Security Patch Updates,
Security Alerts and Bulletins
    Oracle Critical Patch Updates, Critical Security Patch Updates
and Security Alerts - Frequently Asked Questions
    Risk Matrix Definitions
    Use of Common Vulnerability Scoring System (CVSS) by Oracle
    English text version of the risk matrices
    CSAF JSON version of the risk matrices
    Map of CVE to Advisory/Alert
    Oracle Lifetime Support Policy
    JEP 290 Reference Blocklist Filter

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly
addressed by these advisories. Risk matrices for previous security
patches can be found in previous Critical Patch Update advisories,
Critical Security Patch Update advisories and Alerts. An English
text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.1
(see Oracle CVSS Scoring for an explanation of how Oracle
applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability
addressed by a Security Alert. Oracle does not disclose detailed
information about this security analysis to customers, but the
resulting Risk Matrix and associated documentation provide
information about conditions required to exploit the
vulnerability and the potential impact of a successful exploit.
Oracle provides this information so that customers may conduct
their own risk analysis based on the particulars of their
product usage. For more information, see Oracle vulnerability
disclosure policies.

Third party component vulnerabilities that are deemed not
exploitable in the context of their inclusion in an Oracle
product are listed, with VEX justifications, below the
respective Oracle product's risk matrix.

The protocol in the risk matrix implies that all of its secure
variants are affected as well. For example, if HTTP is listed
as an affected protocol, it implies that HTTPS is also affected.
The secure variant of a protocol is listed in the risk matrix
only if it is the only variant affected.


Credit Statement

The following people or organizations reported security
vulnerability addressed by this Security Alert to Oracle:

    Bobby Gould of TrendAI Zero Day Initiative: CVE-2026-35273
    Lucas Miller of TrendAI Research: CVE-2026-35273
    Minh Giang of TrendAI Zero Day Initiative: CVE-2026-35273

 
Modification History
Date         Note
2026-June-10         Rev 1. Initial Release.

 
Oracle PeopleSoft Risk Matrix

This vulnerability is remotely exploitable without authentication,
i.e., may be exploited over a network without requiring user
credentials.  The English text form of this Risk Matrix can
be found here.

CVE ID         Product         Component         Protocol         Remote
Exploit without Auth.?         
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)
(Base Score         Attack Vector         Attack Complex          Privs Req'd
User Interact         Scope         Confid-entiality  Inte-grity         Avail-
ability)
    Supported Versions Affected         Notes

CVE-2026-35273         PeopleSoft Enterprise PeopleTools
Updates Environment Management         HTTP         Yes         9.8         Network
Low         None         None         Un-changed         High         High         High
8.61, 8.62         

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================