Oracle has launched 337 new safety patches for over 30 merchandise as a part of its first Vital Patch Replace (CPU) for 2026.
There seem like roughly 230 distinctive CVEs in Oracle’s January 2026 CPU advisory.
Greater than two dozen of the recent fixes resolve critical-severity vulnerabilities and over 235 patches deal with flaws which can be remotely exploitable with out authentication.
Roughly half a dozen patches deal with CVE-2025-66516 (CVSS rating of 10/10), a vital defect in Apache Tika that might result in XML Exterior Entity (XXE) injection assaults.
Impacting three modules of Apache Tika, the vulnerability will be exploited by inserting crafted XFA recordsdata inside PDF paperwork.
Oracle merchandise that obtained patches for the problem embrace Commerce, Communications, Development and Engineering, Fusion Middleware, and PeopleSoft.Commercial. Scroll to proceed studying.
As soon as once more, Oracle Communications obtained the most important variety of safety fixes, at 56. Of those 34 resolve bugs that may be exploited by distant, unauthenticated attackers.
Subsequent in line is Fusion Middleware, with 51 new safety patches, together with 47 for weaknesses that may be exploited remotely, with out authentication.
Monetary Companies Purposes obtained 38 new fixes (33 for remotely exploitable, unauthenticated points), whereas MySQL bought 20 patches (7 for flaws that may be exploited by distant, unauthenticated attackers).
This month, Siebel CRM, Retail Purposes, and Virtualization obtained 14 safety patches every, however the variety of points which can be remotely exploitable with out authentication differs (11, 10, and 1, respectively).
A major variety of fixes have been additionally rolled out for Hyperion (12 patches – 10 for remotely exploitable, unauthenticated vulnerabilities), PeopleSoft (12 – 10), Java SE (11 – 11), and Provide Chain (10 – 8).
Greater than two dozen Oracle merchandise obtained fewer than 10 new safety fixes, together with Development and Engineering (8 – 7), Analytics (8 – 6), E-Enterprise Suite (8 – 2), Commerce (7 – 6), JD Edwards (7 – 5), Database Server (7 – 2), HealthCare Purposes (6 – 6), Utilities Purposes (5 – 4), GoldenGate (5 – 3), and Well being Sciences Purposes (5 – 3).
Lots of the merchandise that have been up to date additionally obtained fixes for added flaws and non-exploitable bugs. For a number of merchandise, Oracle solely patched non-exploitable third-party CVEs.
On Tuesday, Oracle printed a safety bulletin describing 14 new safety patches for the Oracle Solaris Working System, together with 11 for bugs that may be exploited remotely, with out authentication.
Associated: Oracle Releases October 2025 Patches
Associated: Cisco Patches Vulnerability Exploited by Chinese language Hackers
Associated: Fortinet Patches Vital Vulnerabilities in FortiFone, FortiSIEM
Associated: SAP’s January 2026 Safety Updates Patch Vital Vulnerabilities
