Exploited CVEs / Oracle / CVE-2026-35273

CVE-2026-35273

Actively exploited Oracle PeopleSoft Enterprise PeopleTools vulnerability, Critical severity, CVSS 9.8. Added to the CISA KEV catalog 2026-06-12.

Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability. Exploitation in the wild is confirmed by CISA, not predicted, and the vulnerability is known to be used in ransomware campaigns. Federal agencies were required to remediate by 2026-06-15 (that deadline has passed); treat that date as the outer bound for your own environment. The fix is in the vendor advisory: Oracle Critical Patch Updates, linked below.

CriticalCISA KEVRansomware

Risk summary

CVSS base
9.8
EPSS exploit probability
92%
Severity
Critical
Added to KEV
2026-06-12
CISA due date
2026-06-15 (past due)

Ask your own AI about CVE-2026-35273

Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.

CISA required action

Federal (BOD 22-01) remediation due date: 2026-06-15 (past due).

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Official fix for CVE-2026-35273

The authoritative fix and affected-version list are published by the vendor. Find the PeopleSoft Enterprise PeopleTools advisory on Oracle Critical Patch Updates.

Common questions about CVE-2026-35273

Is CVE-2026-35273 actively exploited?

Yes. CVE-2026-35273 was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2026-06-12, which means exploitation in the wild has been confirmed, not predicted. Its EPSS 30-day exploitation probability is 92%. CISA also reports it is known to be used in ransomware campaigns.

What is the CISA deadline and required action for CVE-2026-35273?

CISA set the federal (BOD 22-01) remediation due date at 2026-06-15, which has passed; treat any unremediated system as overdue. The verbatim required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

What fixes CVE-2026-35273?

The authoritative fix is in the vendor advisory: see Oracle Critical Patch Updates for the patched PeopleSoft Enterprise PeopleTools versions and any workarounds. KEV listing makes this a fix-first item: patch it ahead of higher-CVSS issues nobody is exploiting.

Can I ask my own AI about CVE-2026-35273?

Yes. This page includes a free, ready-to-paste AI prompt containing CVE-2026-35273's key facts: severity, CVSS, EPSS, the KEV date, the CISA due date, and the required action. Copy it into Claude, ChatGPT, or Copilot; the data is refreshed daily.

More exploited Oracle CVEs

The newest Oracle entries on the CISA KEV catalog:

All Oracle exploited CVEs on one page: Oracle vulnerabilities actively exploited.

Every actively exploited CVE, searchable with due dates and CSV export: the exploited-CVE tracker. The newest additions: exploited this week.

Sponsored by Senserva

Siemserva by Senserva reports patch status for your own devices: which ones are exposed to CVE-2026-35273, for example, ranked by what attackers actually exploit.

  • Patch status in one scan: which devices are affected, which are not
  • Missing updates ranked by CISA KEV and EPSS, so you fix the right things first
  • Data from Intune, Microsoft Defender, Windows Autopatch, and Azure Update Manager, with more sources on the way
  • Third-party app patching too: updates published to Intune by PatchMyPC, Scappman, Robopack, or any vendor, read vendor-neutrally
  • Optional AI Enhanced Reporting: plain-language summaries and recommended next steps written into your reports
  • Then go further: 650+ security checks, compliance evidence, and Senserva Trustworthy AI driven configuration remediation
Patch Status Report
CVE-2026-35273 exposure across 110 devices, ranked by exploitation
23
EXPOSED TO CVE-2026-35273
87
UP TO DATE
41
OTHER UPDATES DUE
UPDATESEVERITYKEVMISSING
CVE-2026-35273CriticalEXPLOITED23
KB5094142High-11
KB5094139High-6
Estimated report, sample data for illustration
Get Going with Senserva Senserva patching Built for IT admins and security teams, with audit-ready data for compliance. Senserva is a Microsoft Intelligent Security Association member.
Senserva patching for Microsoft 365
Two minutes, click to play

Patching in action in two minutes. Watch page · All videos.

Lexicon: the terms on this page
CVE
Common Vulnerabilities and Exposures. A unique ID for one publicly known vulnerability, such as CVE-2025-1234.
KB
Microsoft Knowledge Base article. The identifier for a specific Microsoft update.
KEV
CISA Known Exploited Vulnerabilities. CVEs confirmed exploited in the wild. Fix these first.
CVSS
Common Vulnerability Scoring System. A standardized Severity score from 0 to 10.
EPSS
Exploit Prediction Scoring System. The probability a CVE will be exploited in the next 30 days.
MSRC
Microsoft Security Response Center. Microsoft's Patch Tuesday advisories and KB-to-CVE mapping.
NVD
National Vulnerability Database (NIST). Authoritative CVE metadata and CVSS scores.
Ransomware
The vulnerability is linked to known ransomware activity.
Reference: the Microsoft patching guide, how Intune, Windows Autopatch, Defender, and Azure Update Manager fit together.
Data notice: this page, the feeds, and the API are provided as is, for informational purposes only, without warranty of any kind. Senserva, LLC does not guarantee the accuracy, completeness, or timeliness of third-party data (MSRC, NVD, CISA KEV, EPSS) and accepts no liability for actions taken based on it; verify against the authoritative vendor advisory before acting. Built daily with Senserva Trustworthy AI. All use of this data is subject to the Senserva EULA.