Oracle’s First Monthly Patches Resolve 77 Vulnerabilities

Summary

Oracle has launched its new monthly Critical Security Patch Update (CSPU) program, delivering 77 vulnerability fixes across five products including Database Server, E-Business Suite, and REST Data Services. The May 2026 CSPU addresses approximately a dozen critical-severity and numerous high-severity vulnerabilities, with many exploitable remotely without authentication. Oracle emphasizes the importance of timely patching, noting that attackers actively target unpatched Oracle vulnerabilities.

Full text

Oracle has debuted its monthly Critical Security Patch Update (CSPU) with patches for 77 vulnerabilities, including a dozen critical-severity flaws. Announced in early May, the monthly rollouts are meant to supplement the quarterly Critical Patch Update (CPU) fixes and resolve high-priority issues faster. The first CSPU landed at the end of May and will be followed by another in mid-June. July will see the release of a quarterly CPU, with two additional CSPUs planned for August 18 and September 15. The May 2026 CSPU resolves security defects in five Oracle products, namely Database Server, REST Data Services, Communications, E-Business Suite, and Hospitality Applications. E-Business Suite received 12 new security patches, including three for vulnerabilities that can be exploited remotely, without authentication. Oracle announced 11 new security patches for REST Data Services, including seven for bugs exploitable by remote, unauthenticated attackers. The fixes also resolve four bugs in third-party components, including three that are non-exploitable in this Oracle product family.Advertisement. Scroll to continue reading. Communications received eight new security patches, four of which address bugs that can be exploited remotely without authentication. The updates fix 38 additional CVEs in third-party components. Database Server received fixes for three security defects, all of which are exploitable remotely without authentication, while Hospitality Applications received one security patch for an issue that can be exploited by remote, unauthenticated attackers. Approximately a dozen of the addressed flaws are critical-severity vulnerabilities, and the majority of the remaining ones are high-severity weaknesses. Organizations are advised to apply the available updates as soon as possible, as threat actors are known to have targeted vulnerabilities in Oracle products for which patches have been released. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply security patches without delay,” the company notes. Related: Chrome 148 Update Patches 151 Vulnerabilities Related: Oracle Patches 450 Vulnerabilities With April 2026 CPU Related: WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites Related: Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Exploit Code Published for Critical Flowise RCE VulnerabilityCharter Communications Data Breach Could Impact Nearly 5 MillionMokN Raises $15 Million for Phish-Back PlatformGogs Zero-Day Exposes Servers to Remote Code ExecutionChrome 148 Update Patches 151 VulnerabilitiesGeordie Raises $30 Million for AI Security and Governance PlatformCarnival Data Breach Exposed 6 Million PeopleNew BTMOB Android Malware Enables Full Device Takeover Latest News WP Maps Pro Vulnerability Exploited to Take Over WordPress SitesDutch Police Dismantle Massive 17-Million-Device BotnetCritical Windows Netlogon Vulnerability in Attackers’ CrosshairsDragos Acquires xIoT Security Firm PhosphorusAs the Pentagon Pushes for Battlefield AI, Some Military Leaders Urge Caution19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root AccessRecent Palo Alto Networks Vulnerability Exploited for WeeksRussian Spies Are Aggressively Seeking Western Technology as Sanctions Bite, Officials Say Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the MoveRapid7 announced that Wael Mohamed will assume the role of Chief Executive Officer, replacing current Chief Executive Officer Corey Thomas, who will become Executive Chairman of the Board.Anurag Jain has been appointed Senior Vice President of Engineering at CodeHunter.CTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.More People On The MoveExpert Insights Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Entities