Oracle April 2026 Critical Patch Update Addresses 241 CVEs

Blog / Cyber Exposure Alerts Subscribe Oracle April 2026 Critical Patch Update Addresses 241 CVEs Research Special Operations April 21, 2026 2 Min Read Oracle addresses 241 CVEs in its second quarterly update of 2026 with 481 patches, including 34 critical updates. Key takeaways: The second Critical Patch Update (CPU) for 2026 contains fixes for 241 unique CVEs in 481 security updates   34 issues (7.1% of all patches) were assigned a critical severity rating   Oracle Communications received the highest number of patches at 139, accounting for 28.9% of all patches   Background On April 21, Oracle released its Critical Patch Update (CPU) for April 2026, the second quarterly update of the year. This CPU contains fixes for 241 unique CVEs in 481 security updates across 28 Oracle product families. Out of the 481 security updates published this quarter, 7.1% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 45.9%, followed by medium severity patches at 44.1%. This quarter's update includes 34 critical patches across 22 CVEs. Severity Issues Patched CVEs Critical 34 22 High 221 99 Medium 212 107 Low 14 13 Total 481 241 Analysis This quarter, the Oracle Communications product family contained the highest number of patches at 139, accounting for 28.9% of the total patches, followed by Oracle Financial Services Applications at 75 patches, which accounted for 15.6% of the total patches. A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication. Oracle Product Family Number of Patches Remote Exploit without Auth Oracle Communications 139 93 Oracle Financial Services Applications 75 59 Oracle Fusion Middleware 59 46 Oracle MySQL 34 3 Oracle PeopleSoft 21 7 Oracle E-Business Suite 18 8 Oracle Analytics 15 11 Oracle Retail Applications 15 15 Oracle Siebel CRM 14 13 Oracle Java SE 11 7 Oracle GoldenGate 10 7 Oracle Enterprise Manager 9 8 Oracle Virtualization 9 1 Oracle Database Server 8 4 Oracle Utilities Applications 7 6 Oracle Hyperion 6 4 Oracle Construction and Engineering 4 3 Oracle Life Science Applications 4 3 Oracle Supply Chain 4 2 Oracle Blockchain Platform 3 2 Oracle Commerce 3 2 Oracle JD Edwards 3 3 Oracle Adapter for Eclipse RDF4J 2 2 Oracle Autonomous Health Framework 2 1 Oracle REST Data Services 2 2 Oracle Systems 2 1 Oracle TimesTen In-Memory Database 1 1 Oracle Hospitality Applications 1 1 Solution Customers are advised to apply all relevant patches in this quarter's CPU. Please refer to the April 2026 advisory for full details. Identifying affected systems A list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released. Get more information Oracle Critical Patch Update Advisory - April 2026 Oracle April 2026 Critical Patch Update Risk Matrices Oracle Advisory to CVE Map Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface. Research Special Operations The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this hand-picked group of world-class security researchers is united with one mission: to cut through the noise and deliver critical intelligence about the most dangerous cyber threats emerging right now. Uniting the missions of the Tenable Security Response, Zero-Day Research, and Decision Science Operations teams, RSO disseminates timely, accurate, and actionable information about the latest threats and exposures. Related articles April 14, 2026 Claude Mythos: Prepare for your board’s cybersecurity questions about the latest AI model from Anthropic With the Federal Reserve Chairman meeting with bank CEOs to discuss the security implications of Claude Mythos, you can bet that your board of directors will ask you about the impact of the AI model on your cybersecurity strategy. Here’s how to prepare. Vlad Korsunsky April 14, 2026 Microsoft’s April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201) Microsoft addresses 163 CVEs in the April 2026 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild. Research Special Operations April 10, 2026 Crushing the Axios supply chain threat with Tenable Hexa AI: Use cases for agentic AI See how you can use Tenable Hexa AI to determine in minutes if you're impacted by the Axios npm supply chain attack. Learn how easy it is to automate configuration of scans, identify impacted assets, prioritize remediation, and more using agentic AI from Tenable. By James Davies Exposure Management Vulnerability Management Tenable Lumin Tenable Nessus Tenable Nessus Network Monitor Tenable One Tenable Patch Management Tenable Security Center Tenable Security Center Plus Tenable Vulnerability Management Cybersecurity news you can use Enter your email and never miss timely alerts and security guidance from the experts at Tenable. Email Address Submit