ctipilot.ch

Oracle June 2026 CSPU — Solaris RAD CVSS 10.0 (CVE-2026-46978) + PeopleSoft 9.8 (CVE-2026-35278)

cve · CVE-2026-46978

Coverage timeline
1
first 2026-06-18 → last 2026-06-18
Briefs
1
1 distinct
Sources cited
27
18 hosts
Sections touched
1
trending_vulns
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-06-18CTI Daily Brief — 2026-06-18
    trending_vulnsFirst coverage; June CSPU pre-auth criticals (CVE-2026-46978 Solaris RAD 10.0, CVE-2026-35278 PeopleSoft 9.8); January WebLogic-proxy critical dropped as out-of-window

Where this entity is cited

  • trending_vulns1

Source distribution

  • bleepingcomputer.com4 (15%)
  • oracle.com3 (11%)
  • securityweek.com3 (11%)
  • attack.mitre.org2 (7%)
  • thehackernews.com2 (7%)
  • careers.ox.ac.uk1 (4%)
  • cloud.google.com1 (4%)
  • horizon3.ai1 (4%)
  • other10 (37%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (27)

Items in briefs about Oracle June 2026 CSPU — Solaris RAD CVSS 10.0 (CVE-2026-46978) + PeopleSoft 9.8 (CVE-2026-35278) (1)

CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (CVSS 10.0) and PeopleSoft RCE (9.8)

From CTI Daily Brief — 2026-06-18 · published 2026-06-18 · view item permalink →

Oracle's June 2026 Critical Security Patch Update shipped 245 fixes on 2026-06-17, ~100 of them remotely exploitable without authentication (SecurityWeek, 2026-06-17 · Oracle, 2026-06-17). The two standouts for this audience are both pre-auth: CVE-2026-46978 (CVSS 10.0) in the Oracle Solaris 11.4 Remote Administration Daemon (RAD), reachable by an unauthenticated attacker over its default HTTPS management interface, and CVE-2026-35278 (CVSS 9.8), a missing-authentication RCE in PeopleSoft PeopleTools 8.61/8.62 Performance Monitor (T1190). Oracle reports no in-the-wild exploitation at publication; the unauthenticated network vectors warrant emergency prioritisation. Patch internet-facing PeopleSoft and middleware tiers first; as interim hardening, scope the Solaris RAD daemon to localhost where remote administration is not required.