Oracle Patches 450 Vulnerabilities With April 2026 CPU

Oracle on Tuesday announced the release of 481 new security patches as part of its April 2026 Critical Patch Update (CPU). Across the 28 product families that received security updates, more than 300 patches address vulnerabilities that are remotely exploitable without authentication. Roughly three dozen fixes resolve critical-severity security defects. There appear to be approximately 450 unique CVEs listed on the latest Oracle CPU page. Approximately 240 are included in the risk matrix tables, but additional CVEs have been fixed as well, along with third-party issues not exploitable in Oracle’s products. In some cases, the same CVE was patched in multiple products. For some products, Oracle did not release new security patches for exploitable weaknesses, but rolled out third-party patches. Oracle Communications received the largest number of security patches this month, at 139, including 93 for vulnerabilities that are remotely exploitable without authentication. Financial Services Applications was the second-most-impacted Oracle product, with 75 new security fixes, 59 of which addressed remote, unauthenticated bugs. Fusion Middleware followed closely, with 59 patches (46 flaws exploitable remotely, without authentication). Oracle also released a significant number of patches for MySQL (34 fixes – 3 for issues exploitable by remote, unauthenticated attackers), PeopleSoft (21 – 7), E-Business Suite (18 – 8), Analytics (15 – 11), Retail Applications (15 – 15), and Siebel CRM (14 – 13). Several products received close to a dozen patches each, including Java SE (11 – 7), GoldenGate (10 – 7), Enterprise Manager (9 – 8), Virtualization (9 – 1), and Database Server (8 – 4). Fixes were also released for Adapter for Eclipse RDF4J, Autonomous Health Framework, Blockchain Platform, REST Data Services, TimesTen In-Memory Database, Commerce, Construction and Engineering, Life Science Applications, Hospitality Applications, Hyperion, JD Edwards, Supply Chain, Systems, and Utilities Applications. Approximately 390 of the vulnerabilities resolved with the latest Oracle patches were publicly disclosed over the past two years. Most of the remaining ones are from 2022-2024, but five were disclosed over half a decade ago: four in 2021 and one in 2020. Oracle published the April 2026 CPU one month after it released an emergency patch for CVE-2026-21992, a critical-severity remote code execution flaw in Identity Manager and Web Services Manager. Related: Oracle’s First 2026 CPU Delivers 337 New Security Patches Related: Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster Related: Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities Related: Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Dozens of Malicious Crypto Apps Land in Apple App Store Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities $290 Million Kelp DAO Crypto Heist Blamed on North Korea British Scattered Spider Hacker Pleads Guilty in the US Hackers Abuse QEMU for Defense Evasion Half of the 6 Million Internet-Facing FTP Servers Lack Encryption Hackers Fail to Exploit Flaw in Discontinued TP-Link Routers Latest News After Bluesky, Mastodon Targeted in DDoS Attack Most Serious Cyberattacks Against the UK Now From Russia, Iran and China, Cyber Chief Says New Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention  Mirai Botnet Targets Flaw in Discontinued D-Link Routers Are SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM Data Claude Mythos Finds 271 Firefox Vulnerabilities North Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks Google Antigravity in Crosshairs of Security Researchers, Cybercriminals Trending Next.Js Creator Vercel Hacked Serial-To-IP Converter Flaws Expose OT And Healthcare Systems To Hacking Bluesky Disrupted By Sophisticated DDoS Attack Hackers Abuse QEMU For Defense Evasion Data Breaches At Healthcare Organizations In Illinois And Texas Affect 600,000 Organizations Warned Of Exploited Cisco, Kentico, Zimbra Vulnerabilities $290 Million Kelp DAO Crypto Heist Blamed On North Korea Unsecured Perforce Servers Expose Sensitive Data From Major Orgs Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Anti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors. ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. More People On The Move Expert Insights Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Email