CVE-2026-22019
Received Received - Intake
Unauthorized Data Modification via Person Search in PeopleSoft HCM

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: Oracle

Description
Vulnerability in the PeopleSoft Enterprise HCM Shared Components product of Oracle PeopleSoft (component: Person Search). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Shared Components. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Shared Components, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Shared Components accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Shared Components accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22019
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oracle peoplesoft_enterprise_hcm_shared_components 9.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the PeopleSoft Enterprise HCM Shared Components product of Oracle PeopleSoft, specifically in the Person Search component. It is an easily exploitable flaw that allows a low privileged attacker with network access via HTTP to compromise the system. Successful exploitation requires human interaction from someone other than the attacker. The vulnerability can lead to unauthorized update, insertion, or deletion of some accessible data, as well as unauthorized read access to a subset of accessible data within the PeopleSoft Enterprise HCM Shared Components.

Impact Analysis

The impact of this vulnerability includes unauthorized modification (update, insert, delete) and unauthorized reading of certain data within the PeopleSoft Enterprise HCM Shared Components. This means an attacker could alter or view sensitive information they should not have access to. Additionally, because the scope of the attack can extend beyond the initial component, other related products may also be significantly affected.

Compliance Impact

The vulnerability allows unauthorized read and modification access to certain data within PeopleSoft Enterprise HCM Shared Components. Such unauthorized access and data manipulation could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to ensure confidentiality and integrity.

However, the provided information does not explicitly mention the impact on compliance with specific standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22019. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart