Oracle addresses 241 CVEs in its second quarterly update of 2026 with 481 patches, including 34 critical updates.
Key takeaways:
- The second Critical Patch Update (CPU) for 2026 contains fixes for 241 unique CVEs in 481 security updates
- 34 issues (7.1% of all patches) were assigned a critical severity rating
- Oracle Communications received the highest number of patches at 139, accounting for 28.9% of all patches
Background
On April 21, Oracle released its Critical Patch Update (CPU) for April 2026, the second quarterly update of the year. This CPU contains fixes for 241 unique CVEs in 481 security updates across 28 Oracle product families. Out of the 481 security updates published this quarter, 7.1% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 45.9%, followed by medium severity patches at 44.1%.
This quarter’s update includes 34 critical patches across 22 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 34 | 22 |
| High | 221 | 99 |
| Medium | 212 | 107 |
| Low | 14 | 13 |
| Total | 481 | 241 |
Analysis
This quarter, the Oracle Communications product family contained the highest number of patches at 139, accounting for 28.9% of the total patches, followed by Oracle Financial Services Applications at 75 patches, which accounted for 15.6% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Auth |
|---|---|---|
| Oracle Communications | 139 | 93 |
| Oracle Financial Services Applications | 75 | 59 |
| Oracle Fusion Middleware | 59 | 46 |
| Oracle MySQL | 34 | 3 |
| Oracle PeopleSoft | 21 | 7 |
| Oracle E-Business Suite | 18 | 8 |
| Oracle Analytics | 15 | 11 |
| Oracle Retail Applications | 15 | 15 |
| Oracle Siebel CRM | 14 | 13 |
| Oracle Java SE | 11 | 7 |
| Oracle GoldenGate | 10 | 7 |
| Oracle Enterprise Manager | 9 | 8 |
| Oracle Virtualization | 9 | 1 |
| Oracle Database Server | 8 | 4 |
| Oracle Utilities Applications | 7 | 6 |
| Oracle Hyperion | 6 | 4 |
| Oracle Construction and Engineering | 4 | 3 |
| Oracle Life Science Applications | 4 | 3 |
| Oracle Supply Chain | 4 | 2 |
| Oracle Blockchain Platform | 3 | 2 |
| Oracle Commerce | 3 | 2 |
| Oracle JD Edwards | 3 | 3 |
| Oracle Adapter for Eclipse RDF4J | 2 | 2 |
| Oracle Autonomous Health Framework | 2 | 1 |
| Oracle REST Data Services | 2 | 2 |
| Oracle Systems | 2 | 1 |
| Oracle TimesTen In-Memory Database | 1 | 1 |
| Oracle Hospitality Applications | 1 | 1 |
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2026 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.