PeopleSoft zero-day exploited, data stolen from hundreds

A critical zero-day vulnerability in Oracle's PeopleSoft software, tracked as CVE-2026-35273, has been actively exploited by the ShinyHunters ransomware group. This server-side request forgery flaw, rated 9.8 out of 10, allowed attackers to steal gigabytes of data from approximately 100 organizations, with a significant portion being in higher education. Researchers confirmed that victims are receiving extortion demands, and the University of Nottingham has already admitted to a data breach. Oracle has issued a temporary mitigation, but a full patch is still pending, leaving many organizations vulnerable to further attacks and data exfiltration.