Oracle disclosed three high-severity vulnerabilities affecting core enterprise products in its Critical Patch Update advisory. CVE-2026-34279 impacts the Event Management component of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 and is rated CVSS 9.1; Oracle said a high-privileged attacker with network access over HTTP could exploit the flaw to take over the platform, with potential impact extending to additional products because of a scope change. CVE-2026-34286, also rated CVSS 9.1, affects the Core component of Oracle Identity Manager Connector in Oracle Fusion Middleware version 12.2.1.4.0 and can be exploited by an unauthenticated attacker over HTTPS.
Oracle also reported CVE-2026-34309 in the Security component of PeopleSoft Enterprise PeopleTools versions 8.61 through 8.62, assigning it a CVSS 8.1 score. The flaw is described as easily exploitable by a low-privileged attacker with network access over HTTP and could allow unauthorized creation, deletion, or modification of critical data, along with access to sensitive or complete accessible data. Across the three disclosures, Oracle warned that successful exploitation could result in platform compromise, data tampering, and broad unauthorized access in widely deployed enterprise management and identity systems.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Oracle issued its January 2026 Critical Patch Update covering Oracle Database Server vulnerabilities. The Tenable reference indicates this was a distinct Oracle CPU disclosure affecting Database Server products, separate from the April 2026 advisories already in the timeline.
Oracle's April 2026 Critical Patch Update advisory also discloses CVE-2026-34309 in the Security component of PeopleSoft Enterprise PeopleTools versions 8.61 through 8.62. Oracle says a low-privileged attacker with HTTP network access could exploit it to access or modify critical data; the issue carries a CVSS 8.1 score.
Oracle disclosed CVE-2026-34286 in the April 2026 Critical Patch Update advisory as affecting the Core component of Oracle Identity Manager Connector version 12.2.1.4.0. The vulnerability is described as remotely exploitable by an unauthenticated attacker over HTTPS and could allow unauthorized data access or modification; Oracle assigned it a CVSS 9.1 score.
Oracle's April 2026 Critical Patch Update advisory includes CVE-2026-34279, affecting the Event Management component of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1. Oracle says the flaw is easily exploitable by a high-privileged attacker over HTTP and could enable takeover of the platform, with a CVSS 9.1 score.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
hkcert.org
Open sourceccb.belgium.be
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourcetenable.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.