CVE-2026-35273 is an unauthenticated RCE zero-day in Oracle PeopleSoft’s Environment Management Hub that was actively exploited by ShinyHunters for 13 days before Oracle published an advisory, resulting in confirmed breaches at over 100 organizations and exposure of approximately 455,000 individuals including passport numbers and disability records. Higher education institutions are 68% of confirmed victims, but any organization running PeopleTools 8.61 or 8.62 with internet-accessible PSEMHUB is at immediate risk of full server compromise and data theft. Regulatory exposure under FERPA, GDPR, and UK DPA 2018 is material for confirmed-breach organizations.