Oracle issued an out-of-band security alert for a critical vulnerability in its PeopleSoft enterprise software. The flaw, identified as CVE-2026-35273, carries a severity score of 9.8 out of 10. It allows for remote code execution without authentication and was exploited as a zero-day before the advisory.
The hacking group ShinyHunters claimed responsibility for breaching over 100 organizations. Universities and colleges represent approximately two-thirds of the affected entities. The group reportedly stole sensitive data, including student records.
Oracle has provided mitigation measures, but a full patch remains unavailable. Google's Mandiant confirmed the ongoing exploitation and notified affected organizations.