Oracle Critical Patch Update, June 2026 Security Update Review
Oracle June 2026 Critical Patch Update addresses 245 vulnerabilities across 11 product families.
Summary
Oracle released its June 2026 Critical Patch Update covering 245 security vulnerabilities across multiple product families, with Oracle Fusion Middleware receiving the most patches (106). The update includes critical-severity flaws in Fusion Middleware, E-Business Suite, JD Edwards, MySQL, and PeopleSoft that can lead to remote code execution when exploited over the network without credentials. Four of the 245 patches address non-Oracle CVEs affecting open-source components included in Oracle product distributions.
Full text
Table of ContentsQualys QID CoverageNotable Oracle Vulnerabilities Patched Oracle released its third quarterly edition of this year’s Critical Patch Update. The update received patches for 245 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products. In this quarterly Oracle Critical Patch Update, Oracle Fusion Middleware received the highest number of patches, 106, constituting about 44% of the total patches released. 4 of the 245 (about 2%) security patches in the June Critical Patch Update are for non-Oracle CVEs, such as open-source components included in, and exploitable within, Oracle product distributions. In these security updates, Oracle has covered product families such as Oracle Communications, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Fusion Middleware, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, and Oracle Virtualization. Qualys QID Coverage Qualys has released the following QIDS mentioned in the table: QIDsTitle20581 Oracle MySQL Server June 2026 Critical Patch Update (CPUJUN2026)20582 Oracle E-Business Suite Security Update (CPUJUN2026)296137 Oracle Solaris 11.4 Support Repository Update (SRU) 93.221.2 Missing (CPUJUN2026)387699Oracle Managed Virtualization (VM) VirtualBox June 2026 Critical Patch Update (CSPUJUN2026) Note: The table will be updated with additional QIDs once released. Notable Oracle Vulnerabilities Patched Oracle Fusion Middleware This Critical Patch Update for Oracle Fusion Middleware received 106 security patches. Out of these, 53 vulnerabilities can be exploited over a network without user credentials. A total of 67 vulnerabilities have critical severity ratings. Successful exploitation of these vulnerabilities can lead to remote code execution. Oracle E-Business Suite This Critical Patch Update for Oracle E-Business Suite received 55 security patches. Out of these, six vulnerabilities can be exploited over a network without user credentials. A total of 16 vulnerabilities have critical severity ratings. Successful exploitation of these vulnerabilities can lead to remote code execution. Oracle JD Edwards This Critical Patch Update for Oracle JD Edwards received 20 security patches. Out of these, 12 vulnerabilities can be exploited over a network without user credentials. A total of 18 vulnerabilities have critical severity ratings. Successful exploitation of these vulnerabilities can lead to remote code execution. Oracle MySQL This Critical Patch Update for Oracle MySQL received eight security patches. Out of these, four vulnerabilities can be exploited over a network without user credentials. CVE-2026-46850, CVE-2026-46860, and CVE-2026-46861 have critical severity and a CVSS score of 9.9, 9.8, and 9.6, respectively. Successful exploitation of the vulnerabilities can result in remote code execution. Oracle PeopleSoft This Critical Patch Update for Oracle PeopleSoft received 11 security patches. Out of these, seven vulnerabilities can be exploited over a network without user credentials. CVE-2026-35278 in the Performance Monitor of PeopleSoft Enterprise PT PeopleTools has critical severity with CVSS scores of 9.8. Successful exploitation of this vulnerability can result in remote code execution.
Indicators of Compromise
- cve — CVE-2026-46850
- cve — CVE-2026-46860
- cve — CVE-2026-46861
- cve — CVE-2026-35278