Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026–35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks.

The flaw is within Oracle PeopleSoft PeopleTools and has a CVSS base score of 9.8.

“This Security Alert addresses vulnerability CVE-2026–35273 in Oracle PeopleSoft PeopleTools. Oracle PeopleSoft Enterprise Applications customers may also be affected by this vulnerability,” reads a new Oracle advisory.