ShinyHunters exploits Oracle PeopleSoft zero-day in 100+ breaches

ShinyHunters exploited an unpatched Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8) to breach over 100 organizations, mostly universities. Oracle warned customers Thursday but has not released a patch. Mandiant confirmed the bug is the same one ShinyHunters is abusing. The University of Nottingham had 40 GB of data stolen.