Oracle April 2026 Critical Patch Update Addresses 241 CVEs
Oracle addresses 241 CVEs in its second quarterly update of 2026 with 481 patches, including 34 critical updates.
Key takeaways:
- The second Critical Patch Update (CPU) for 2026 contains fixes for 241 unique CVEs in 481 security updates
- 34 issues (7.1% of all patches) were assigned a critical severity rating
- Oracle Communications received the highest number of patches at 139, accounting for 28.9% of all patches
Background
On April 21, Oracle released its Critical Patch Update (CPU) for April 2026, the second quarterly update of the year. This CPU contains fixes for 241 unique CVEs in 481 security updates across 28 Oracle product families. Out of the 481 security updates published this quarter, 7.1% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 45.9%, followed by medium severity patches at 44.1%.
This quarter's update includes 34 critical patches across 22 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 34 | 22 |
| High | 221 | 99 |
| Medium | 212 | 107 |
| Low | 14 | 13 |
| Total | 481 | 241 |
Analysis
This quarter, the Oracle Communications product family contained the highest number of patches at 139, accounting for 28.9% of the total patches, followed by Oracle Financial Services Applications at 75 patches, which accounted for 15.6% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Auth |
|---|---|---|
| Oracle Communications | 139 | 93 |
| Oracle Financial Services Applications | 75 | 59 |
| Oracle Fusion Middleware | 59 | 46 |
| Oracle MySQL | 34 | 3 |
| Oracle PeopleSoft | 21 | 7 |
| Oracle E-Business Suite | 18 | 8 |
| Oracle Analytics | 15 | 11 |
| Oracle Retail Applications | 15 | 15 |
| Oracle Siebel CRM | 14 | 13 |
| Oracle Java SE | 11 | 7 |
| Oracle GoldenGate | 10 | 7 |
| Oracle Enterprise Manager | 9 | 8 |
| Oracle Virtualization | 9 | 1 |
| Oracle Database Server | 8 | 4 |
| Oracle Utilities Applications | 7 | 6 |
| Oracle Hyperion | 6 | 4 |
| Oracle Construction and Engineering | 4 | 3 |
| Oracle Life Science Applications | 4 | 3 |
| Oracle Supply Chain | 4 | 2 |
| Oracle Blockchain Platform | 3 | 2 |
| Oracle Commerce | 3 | 2 |
| Oracle JD Edwards | 3 | 3 |
| Oracle Adapter for Eclipse RDF4J | 2 | 2 |
| Oracle Autonomous Health Framework | 2 | 1 |
| Oracle REST Data Services | 2 | 2 |
| Oracle Systems | 2 | 1 |
| Oracle TimesTen In-Memory Database | 1 | 1 |
| Oracle Hospitality Applications | 1 | 1 |
Solution
Customers are advised to apply all relevant patches in this quarter's CPU. Please refer to the April 2026 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Oracle Critical Patch Update Advisory - April 2026
- Oracle April 2026 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Research Special Operations
The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this hand-picked group of world-class security researchers is united with one mission: to cut through the noise and deliver critical intelligence about the most dangerous cyber threats emerging right now. Uniting the missions of the Tenable Security Response, Zero-Day Research, and Decision Science Operations teams, RSO disseminates timely, accurate, and actionable information about the latest threats and exposures.
Related articles
Claude Mythos: Prepare for your board’s cybersecurity questions about the latest AI model from Anthropic
With the Federal Reserve Chairman meeting with bank CEOs to discuss the security implications of Claude Mythos, you can bet that your board of directors will ask you about the impact of the AI model on your cybersecurity strategy. Here’s how to prepare.
Microsoft’s April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201)
Microsoft addresses 163 CVEs in the April 2026 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild.
Crushing the Axios supply chain threat with Tenable Hexa AI: Use cases for agentic AI
See how you can use Tenable Hexa AI to determine in minutes if you're impacted by the Axios npm supply chain attack. Learn how easy it is to automate configuration of scans, identify impacted assets, prioritize remediation, and more using agentic AI from Tenable.
- Exposure Management
- Vulnerability Management