CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (10.0) and PeopleSoft RCE (9.8)

Oracle's June Critical Security Patch Update shipped 245 fixes on 2026-06-17, around 100 remotely exploitable without authentication, headlined by an unauthenticated Solaris Remote Administration Daemon flaw (CVE-2026-46978, CVSS 10.0) and a PeopleSoft RCE (CVE-2026-35278, 9.8) (Oracle CSPU; daily 06-18). The PeopleSoft fix lands in the middle of the ShinyHunters PeopleSoft campaign (§ 2) — prioritise PeopleSoft and any internet-reachable Solaris RAD instances.