Oracle addresses 241 CVEs in its second quarterly update of 2026 with 481 patches, including 34 critical updates.Key takeaways:The second Critical Patch Update (CPU) for 2026 contains fixes for 241 unique CVEs in 481 security updates 34 issues (7.1% of all patches) were assigned a critical severity rating Oracle Communications received the highest number of patches at 139, accounting for 28.9% of all patches BackgroundOn April 21, Oracle released its Critical Patch Update (CPU) for April 2026, the second quarterly update of the year. This CPU contains fixes for 241 unique CVEs in 481 security updates across 28 Oracle product families. Out of the 481 security updates published this quarter, 7.1% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 45.9%, followed by medium severity patches at 44.1%.This quarter's update includes 34 critical patches across 22 CVEs.SeverityIssues PatchedCVEsCritical3422High22199Medium212107Low1413Total481241AnalysisThis quarter, the Oracle Communications product family contained the highest number of patches at 139, accounting for 28.9% of the total patches, followed by Oracle Financial Services Applications at 75 patches, which accounted for 15.6% of the total patches.A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle Communications13993Oracle Financial Services Applications7559Oracle Fusion Middleware5946Oracle MySQL343Oracle PeopleSoft217Oracle E-Business Suite188Oracle Analytics1511Oracle Retail Applications1515Oracle Siebel CRM1413Oracle Java SE117Oracle GoldenGate107Oracle Enterprise Manager98Oracle Virtualization91Oracle Database Server84Oracle Utilities Applications76Oracle Hyperion64Oracle Construction and Engineering43Oracle Life Science Applications43Oracle Supply Chain42Oracle Blockchain Platform32Oracle Commerce32Oracle JD Edwards33Oracle Adapter for Eclipse RDF4J22Oracle Autonomous Health Framework21Oracle REST Data Services22Oracle Systems21Oracle TimesTen In-Memory Database11Oracle Hospitality Applications11SolutionCustomers are advised to apply all relevant patches in this quarter's CPU. Please refer to the April 2026 advisory for full details.Identifying affected systemsA list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.Get more informationOracle Critical Patch Update Advisory - April 2026Oracle April 2026 Critical Patch Update Risk MatricesOracle Advisory to CVE MapJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

Oracle released its April 2026 Critical Patch Update (CPU), the second quarterly security update of the year. It addresses 241 unique CVEs across 481 security patches spanning 28 Oracle product families. Of the patches, 34 (7.1%) are critical severity, 221 are high severity, and 212 are medium severity. Oracle Communications received the most patches at 139 (28.9% of total), followed by Oracle Financial Services Applications at 75. Many vulnerabilities are remotely exploitable without authentication. Oracle customers are advised to apply all relevant patches immediately.

Oracle April 2026 Critical Patch Update Addresses 241 CVEs