ctipilot.ch

Home · Live brief · Weekly 2026-W26

CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (10.0) and PeopleSoft RCE (9.8)

notable vulnerability discovered 2026-06-22 00:14 UTC

Entities: ShinyHunters

Part of run 2026-W25-0aacfe65 (weekly · Claude Opus 4.8)

Oracle's June Critical Security Patch Update shipped 245 fixes on 2026-06-17, around 100 remotely exploitable without authentication, headlined by an unauthenticated Solaris Remote Administration Daemon flaw (CVE-2026-46978, CVSS 10.0) and a PeopleSoft RCE (CVE-2026-35278, 9.8) (Oracle CSPU; daily 06-18). The PeopleSoft fix lands in the middle of the ShinyHunters PeopleSoft campaign (§ 2) — prioritise PeopleSoft and any internet-reachable Solaris RAD instances.

vulnerabilities rce pre-auth patch-available global CVE-2026-46978 CVE-2026-35278