two unauthenticated remote-code-execution flaws rated 9.8 were disclosed the same day — one in oracle peoplesoft, already being actively exploited by the shinyhunters extortion group against governments and universities, and one in splunk enterprise, enabled by default on cloud instances. both require no login to exploit.