Oracle has issued a substantial update, releasing 481 security patches as part of its April 2026 Critical Patch Update (CPU). This comprehensive update spans 28 product families and addresses over 300 vulnerabilities that could be exploited remotely without the need for authentication. Notably, around three dozen of these patches correct critical security flaws.
Details on Vulnerabilities and Patches
The recent update lists approximately 450 distinct Common Vulnerabilities and Exposures (CVEs) on Oracle’s CPU page. Of these, nearly 240 are detailed in the risk matrix tables. Additional CVEs have been addressed, including issues stemming from third-party software that are not directly exploitable within Oracle’s own products. Some CVEs have been patched across multiple Oracle offerings, while others received third-party fixes.
Key Product Families Affected
Oracle Communications saw the highest number of security updates, totaling 139 patches, with 93 targeting remotely exploitable vulnerabilities. Financial Services Applications followed with 75 new security fixes, 59 of which are for remote, unauthenticated issues. Fusion Middleware received 59 patches, with 46 addressing similar vulnerabilities.
Other notable updates include patches for MySQL (34 fixes, 3 critical), PeopleSoft (21, 7 critical), E-Business Suite (18, 8 critical), Analytics (15, 11 critical), Retail Applications (15, all critical), and Siebel CRM (14, 13 critical).
Additional Products and Historical Vulnerabilities
Several Oracle products received nearly a dozen patches each, such as Java SE (11 patches, 7 critical), GoldenGate (10, 7 critical), and Enterprise Manager (9, 8 critical). The update also covers vulnerabilities in products like Adapter for Eclipse RDF4J, Autonomous Health Framework, and Blockchain Platform, among others.
Approximately 390 vulnerabilities addressed in this update were publicly disclosed within the last two years. The remaining vulnerabilities trace back to earlier years, including five from as far back as 2020 and 2021.
This significant update follows Oracle’s emergency patch in March 2026 for a critical remote code execution flaw, CVE-2026-21992, in Identity Manager and Web Services Manager.
The April 2026 CPU highlights Oracle’s ongoing commitment to enhancing the security of its products and ensuring users are protected against evolving threats.
