This vulnerability affects Oracle PeopleSoft Enterprise HCM Shared Components version 9.2, specifically the Person Search component. It is exploitable remotely over the network via HTTP by an attacker with low privileges, requiring user interaction from a third party. The vulnerability allows unauthorized read and modification (update, insert, delete) of certain accessible data within the affected components. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, required user interaction, scope change, and impacts on confidentiality and integrity but no impact on availability. Oracle’s April 2026 Critical Patch Update advisory references multiple security patches across products but does not explicitly confirm a patch for this vulnerability. The vulnerability is published and assigned CVE-2026-22019 with a medium severity rating.

Successful exploitation can result in unauthorized read access to some PeopleSoft Enterprise HCM Shared Components data and unauthorized modification (update, insert, delete) of that data. This could affect data confidentiality and integrity within the PeopleSoft HCM environment and potentially impact additional products due to scope change. There is no reported impact on availability. No known exploits in the wild have been reported to date.

Patch status is not yet confirmed — check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for current remediation guidance. Oracle strongly recommends applying Critical Patch Updates promptly to mitigate vulnerabilities. Until a patch is confirmed and applied, limit network exposure of affected PeopleSoft components and ensure that users are aware of social engineering risks since exploitation requires user interaction.