a group tracked as shinyhunters exploited an unpatched oracle peoplesoft flaw (cve-2026-35273, severity 9.8) between late may and june 9, breaching over 100 organizations — about 68 percent of them universities. as of june 10 oracle had released no patch. a single zero-day reaching this many institutions while no fix exists is an unusual concentration on the education sector.