Oracle Patches 450 Vulnerabilities With April 2026 CPU

Summary

Oracle released its April 2026 Critical Patch Update (CPU) on Tuesday, delivering 481 new security patches across 28 product families. Over 300 patches address remotely exploitable, unauthenticated vulnerabilities, with approximately 36 patches resolving critical-severity flaws. Oracle Communications received the largest patch volume at 139, followed by Financial Services Applications with 75 and Fusion Middleware with 59 fixes.

Full text

Oracle on Tuesday announced the release of 481 new security patches as part of its April 2026 Critical Patch Update (CPU). Across the 28 product families that received security updates, more than 300 patches address vulnerabilities that are remotely exploitable without authentication. Roughly three dozen fixes resolve critical-severity security defects. There appear to be approximately 450 unique CVEs listed on the latest Oracle CPU page. Approximately 240 are included in the risk matrix tables, but additional CVEs have been fixed as well, along with third-party issues not exploitable in Oracle’s products. In some cases, the same CVE was patched in multiple products. For some products, Oracle did not release new security patches for exploitable weaknesses, but rolled out third-party patches. Oracle Communications received the largest number of security patches this month, at 139, including 93 for vulnerabilities that are remotely exploitable without authentication. Financial Services Applications was the second-most-impacted Oracle product, with 75 new security fixes, 59 of which addressed remote, unauthenticated bugs. Fusion Middleware followed closely, with 59 patches (46 flaws exploitable remotely, without authentication).Advertisement. Scroll to continue reading. Oracle also released a significant number of patches for MySQL (34 fixes – 3 for issues exploitable by remote, unauthenticated attackers), PeopleSoft (21 – 7), E-Business Suite (18 – 8), Analytics (15 – 11), Retail Applications (15 – 15), and Siebel CRM (14 – 13). Several products received close to a dozen patches each, including Java SE (11 – 7), GoldenGate (10 – 7), Enterprise Manager (9 – 8), Virtualization (9 – 1), and Database Server (8 – 4). Fixes were also released for Adapter for Eclipse RDF4J, Autonomous Health Framework, Blockchain Platform, REST Data Services, TimesTen In-Memory Database, Commerce, Construction and Engineering, Life Science Applications, Hospitality Applications, Hyperion, JD Edwards, Supply Chain, Systems, and Utilities Applications. Approximately 390 of the vulnerabilities resolved with the latest Oracle patches were publicly disclosed over the past two years. Most of the remaining ones are from 2022-2024, but five were disclosed over half a decade ago: four in 2021 and one in 2020. Oracle published the April 2026 CPU one month after it released an emergency patch for CVE-2026-21992, a critical-severity remote code execution flaw in Identity Manager and Web Services Manager. Related: Oracle’s First 2026 CPU Delivers 337 New Security Patches Related: Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster Related: Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities Related: Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire British Scattered Spider Hacker Pleads Guilty in the USHackers Abuse QEMU for Defense EvasionHalf of the 6 Million Internet-Facing FTP Servers Lack EncryptionHackers Fail to Exploit Flaw in Discontinued TP-Link RoutersTycoon 2FA Loses Phishing Kit Crown Amid Surge in AttacksTwo North Korean IT Worker Scheme Facilitators Jailed in the USCursor AI Vulnerability Exposed Developer Devices53 DDoS Domains Taken Down by Law Enforcement Latest News Google Antigravity in Crosshairs of Security Researchers, CybercriminalsThird US Security Expert Admits Helping Ransomware GangDozens of Malicious Crypto Apps Land in Apple App StoreUnsecured Perforce Servers Expose Sensitive Data From Major OrgsProgress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMasterOrganizations Warned of Exploited Cisco, Kentico, Zimbra VulnerabilitiesData Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000$290 Million Kelp DAO Crypto Heist Blamed on North Korea Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveAnti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors.ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.Thomas Bain has been appointed Chief Marketing Officer at Silent Push.More People On The MoveExpert Insights Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-21992

Entities