By Zeljka Zorz
Publication Date: 2026-06-11 12:41:00
A zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft PeopleTools is being exploited in the wild, says Charles Carmakal, CTO at cybersecurity company Mandiant, part of Google Cloud, warned Today.
The warning comes a day after Oracle released an out-of-band Security warning about the flaw, which can be exploited remotely without authentication and could lead to remote code execution, affecting PeopleSoft PeopleTools versions 8.61 and 8.62 (and possibly earlier, unsupported versions).
Oracle thanked researchers at the TrendAI Zero Day Initiative and TrendAI Research for reporting the vulnerability.
The security alert refers to a “Patch Availability Document”. However, it is unclear whether a patch is currently available as the document can only be accessed by customers with a support account.
Help Net Security has reached out to Oracle to request confirmation as to whether CVE-2026-35273 is being actively exploited. However, we have not received a response yet.
