CVE-2026-22019 affects Oracle PeopleSoft Enterprise HCM Shared Components version 9.2, involving a vulnerability in the Person Search component. The flaw allows a low privileged attacker with network access over HTTP to compromise the component, contingent on user interaction from a third party. The vulnerability results in unauthorized read and write (update, insert, delete) access to some data within the affected component and may impact other related products (scope change). The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, required user interaction, and scope change with low confidentiality and integrity impact but no availability impact. Oracle’s April 2026 Critical Patch Update advisory references multiple patches across products but does not explicitly confirm a patch for this vulnerability. No public exploits are known.

Successful exploitation can lead to unauthorized read access and unauthorized modification (update, insert, delete) of some data accessible through PeopleSoft Enterprise HCM Shared Components. The vulnerability affects confidentiality and integrity but does not impact availability. The scope of impact may extend beyond the HCM Shared Components to additional Oracle products. No known active exploitation has been reported.

Patch status is not yet confirmed — check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for current remediation guidance. Oracle strongly recommends applying Critical Patch Updates promptly to mitigate vulnerabilities. Until an official patch is confirmed and applied, organizations should consider limiting network exposure of affected PeopleSoft components and ensure that user interaction vectors are minimized. Monitor Oracle advisories for updates on patch availability specific to this vulnerability.