Oracle mitigates PeopleSoft zero-day exploited in data theft attacks

Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks.

The flaw is within Oracle PeopleSoft PeopleTools and has a CVSS base score of 9.8.

"This Security Alert addresses vulnerability CVE-2026-35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability," reads a new Oracle advisory.

"This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution."

Oracle has confirmed that the zero-day vulnerability affects PeopleSoft Enterprise PeopleTools, versions 8.61 and 8.62, and has released emergency mitigations to address the flaw, with a patch coming soon.

Oracle mitigates PeopleSoft zero-day exploited in data theft attacks

Other newsrooms on this story

Related reading

Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks

ShinyHunters breached 100+ companies through an unpatched Oracle PeopleSoft…

ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach…

Oracle warns of security bug that hackers abused to breach 100+ companies |…

Google says ShinyHunters hackers targeting education sector via Oracle exploit…

Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks