This vulnerability affects Oracle PeopleSoft Enterprise CS Student Records 9.2, allowing a low privileged attacker with network access over HTTP to compromise the system's confidentiality. Successful exploitation requires user interaction from a third party. The CVSS 3.1 base score is 5.7, reflecting a medium severity with high confidentiality impact but no integrity or availability impact. The vulnerability is documented in Oracle's April 2026 Critical Patch Update advisory, which includes numerous patches for multiple products, though no explicit patch link or confirmation for this specific CVE is provided in the advisory content.

Successful exploitation can lead to unauthorized access to critical or all accessible data within PeopleSoft Enterprise CS Student Records. The impact is limited to confidentiality, with no reported impact on integrity or availability. The requirement for user interaction reduces the likelihood of automated exploitation. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for current remediation guidance. Oracle strongly recommends applying Critical Patch Updates promptly and remaining on actively supported versions. Until a specific patch is confirmed and applied, organizations should consider limiting network exposure of affected PeopleSoft components and educate users to be cautious of unexpected interactions that could trigger exploitation.