Unauthenticated Remote Code Execution in Oracle PeopleSoft Enterprise PeopleTools
CVE-2026-21938

6.1MEDIUM

Key Information:

Vendor: Oracle
Status: Peoplesoft Enterprise Peopletools
Vendor: CVE Published:; 20 January 2026

What is CVE-2026-21938?

A vulnerability exists in the Oracle PeopleSoft Enterprise PeopleTools, specifically within the Portal component, impacting versions 8.60, 8.61, and 8.62. This vulnerability can be easily exploited by an unauthenticated attacker with network access via HTTP, allowing unauthorized updates, inserts, or deletions of accessible data. While the attacks necessitate human interaction from another individual, they can have broader implications, potentially affecting additional products. The security risk associated with this issue encompasses both confidentiality and integrity impacts, exposing data vulnerabilities that organizations need to address promptly.

Affected Version(s)

PeopleSoft Enterprise PeopleTools 8.60

PeopleSoft Enterprise PeopleTools 8.61

PeopleSoft Enterprise PeopleTools 8.62

References

https://www.oracle.com/security-alerts/cpujan2026.html

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 20, 2026
Vulnerability Reserved
Jan 5, 2026

CVE-2026-21938 Data

JSON