{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34309", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-03-26T19:48:45.680Z", "datePublished": "2026-04-21T20:35:35.917Z", "dateUpdated": "2026-04-21T20:35:35.917Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:35.917Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "PeopleSoft Enterprise PeopleTools", "versions": [{"version": "8.61", "status": "affected", "lessThanOrEqual": "8.62", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.61", "versionEndIncluding": "8.62"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Security). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)."}], "id": "CVE-2026-34309", "lastModified": "2026-04-21T21:16:36.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:36.390", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.61,8.62]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "PeopleSoft Enterprise PeopleTools", "source": "cna", "vendor": "Oracle Corporation"}, "product": "peoplesoft_enterprise_peopletools", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T07:11:32.065882+00:00", "value": {"mitigation_remediation": ["Apply the latest security patch or upgrade to a later PeopleSoft PeopleTools release that includes the fix", "Restrict HTTP access to the PeopleSoft application to trusted IP ranges or a protected network segment", "Enforce strict role\u2011based access controls so users only have the minimum privileges necessary", "Regularly review audit logs for unauthorized access attempts and unexpected data changes"], "summary": {"action": "Patch", "impact": "Unauthorized creation, deletion, or modification of critical data by a low-privileged network attacker"}, "threat_synthesis": {"affected_systems": "The products affected are Oracle Corporation\u2019s PeopleSoft Enterprise PeopleTools, specifically versions 8.61 and 8.62. Users running these releases are exposed to the described exploit and must review their deployment for potential exposure.", "description_and_impact": "A vulnerability in Oracle PeopleSoft Enterprise PeopleTools permits an attacker with low privileges over HTTP to create, delete, or alter data. The impact covers both confidentiality and integrity, enabling unauthorized access to critical information and manipulation of all data exposed by the application. The CVSS 3.1 base score of 8.1 reflects significant risk to the integrity and confidentiality of data within the system.", "risk_and_exploitability": "The vulnerability can be triggered over a standard HTTP connection by an attacker with limited permissions, implying that any host with network visibility can attempt exploitation. The CVSS score indicates a high severity, but the EPSS is not available and the issue is not listed in CISA\u2019s KEV catalog, suggesting that widespread exploitation may not yet be observed. Nonetheless, the low attack effort and clear impact warrant timely attention."}}}}, "created": "2026-04-22T02:30:05.614807+00:00", "title": "Low-Privilege HTTP Exploit Enables Unauthorized Data Modification in PeopleSoft Enterprise PeopleTools", "updated": "2026-04-22T07:15:11.670752+00:00", "vendors": ["oracle", "oracle$PRODUCT$peoplesoft_enterprise_peopletools"], "weaknesses": ["CWE-284"]}