This vulnerability in the Deployment Package component of Oracle PeopleSoft Enterprise PT PeopleTools (versions 8.61 and 8.62) allows an unauthenticated attacker who has logon access to the infrastructure to compromise the PeopleTools environment. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates local attack vector with low complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Oracle has addressed this issue in its June 2026 Critical Security Patch Update, which includes patches for PeopleSoft PeopleTools. The vendor strongly urges customers to apply these patches without delay to mitigate the risk of takeover.

Successful exploitation can result in complete compromise of the PeopleSoft Enterprise PT PeopleTools environment, impacting confidentiality, integrity, and availability of the system. This could allow attackers to take over the affected product, potentially leading to unauthorized access, data manipulation, and service disruption.

Oracle has released patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers are strongly advised to apply these security patches promptly. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges or access to vulnerable packages for users. However, these mitigations may affect application functionality. Patch status is confirmed by the vendor advisory. No indication that the vulnerability is already mitigated without patching.