Oracle addresses 241 CVEs in its second quarterly update of 2026 with 481 patches, including 34 critical updates.
Key takeaways:
The second Critical Patch Update (CPU) for 2026 contains fixes for 241 unique CVEs in 481 security updates
34 issues (7.1% of all patches) were assigned a critical severity rating
Oracle Communications received the highest number of patches at 139, accounting for 28.9% of all patches
Background
On April 21, Oracle released its Critical Patch Update (CPU) for April 2026, the second quarterly update of the year. This CPU contains fixes for 241 unique CVEs in 481 security updates across 28 Oracle product families. Out of the 481 security updates published this quarter, 7.1% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 45.9%, followed by medium severity patches at 44.1%.
This quarter’s update includes 34 critical patches across 22 CVEs.
Severity
Issues Patched
CVEs
Critical
34
22
High
221
99
Medium
212
107
Low
14
13
Total
481
241
Analysis
This quarter, the Oracle Communications product family contained the highest number of patches at 139, accounting for 28.9% of the total patches, followed by Oracle Financial Services Applications at 75 patches, which accounted for 15.6% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
Oracle Product Family
Number of Patches
Remote Exploit without Auth
Oracle Communications
139
93
Oracle Financial Services Applications
75
59
Oracle Fusion Middleware
59
46
Oracle MySQL
34
3
Oracle PeopleSoft
21
7
Oracle E-Business Suite
18
8
Oracle Analytics
15
11
Oracle Retail Applications
15
15
Oracle Siebel CRM
14
13
Oracle Java SE
11
7
Oracle GoldenGate
10
7
Oracle Enterprise Manager
9
8
Oracle Virtualization
9
1
Oracle Database Server
8
4
Oracle Utilities Applications
7
6
Oracle Hyperion
6
4
Oracle Construction and Engineering
4
3
Oracle Life Science Applications
4
3
Oracle Supply Chain
4
2
Oracle Blockchain Platform
3
2
Oracle Commerce
3
2
Oracle JD Edwards
3
3
Oracle Adapter for Eclipse RDF4J
2
2
Oracle Autonomous Health Framework
2
1
Oracle REST Data Services
2
2
Oracle Systems
2
1
Oracle TimesTen In-Memory Database
1
1
Oracle Hospitality Applications
1
1
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2026 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
Oracle Critical Patch Update Advisory – April 2026
Oracle April 2026 Critical Patch Update Risk Matrices
Oracle Advisory to CVE Map
Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
The post Oracle April 2026 Critical Patch Update Addresses 241 CVEs appeared first on Security Boulevard.
