This vulnerability affects Oracle PeopleSoft Enterprise CS Campus Community version 9.2.38 and allows an unauthenticated attacker with network access over HTTP to compromise the system, potentially leading to full takeover. The CVSS 3.1 score is 8.1 with high impact on confidentiality, integrity, and availability. Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update, which contains 245 security patches across multiple products including PeopleSoft. The vendor strongly advises customers to apply these patches without delay to mitigate the risk. No specific exploit details or known exploits in the wild have been reported. Workarounds include blocking network protocols required by the attack or removing unnecessary privileges, but these may disrupt normal operations.

Successful exploitation can result in complete compromise of PeopleSoft Enterprise CS Campus Community, impacting confidentiality, integrity, and availability of the system. The vulnerability is exploitable remotely without authentication but is considered difficult to exploit due to required conditions. No known active exploits have been reported.

Oracle has released a Critical Security Patch Update in June 2026 that includes patches addressing this vulnerability. Customers are strongly advised to apply the June 2026 Critical Security Patch Update promptly. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation or by removing unnecessary privileges from users, though these measures may affect application functionality. Patch status is confirmed by the vendor advisory; therefore, applying the official patches is the recommended remediation.