CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (CVSS 10.0) and PeopleSoft RCE (9.8)

Oracle's June 2026 Critical Security Patch Update shipped 245 fixes on 2026-06-17, ~100 of them remotely exploitable without authentication (SecurityWeek, 2026-06-17 · Oracle, 2026-06-17). The two standouts for this audience are both pre-auth: CVE-2026-46978 (CVSS 10.0) in the Oracle Solaris 11.4 Remote Administration Daemon (RAD), reachable by an unauthenticated attacker over its default HTTPS management interface, and CVE-2026-35278 (CVSS 9.8), a missing-authentication RCE in PeopleSoft PeopleTools 8.61/8.62 Performance Monitor (T1190). Oracle reports no in-the-wild exploitation at publication; the unauthenticated network vectors warrant emergency prioritisation. Patch internet-facing PeopleSoft and middleware tiers first; as interim hardening, scope the Solaris RAD daemon to localhost where remote administration is not required.