Oracle May 2026 Critical Security Patch Update Addresses 35 CVEs

2-minute read May 28 2026 Oracle May 2026 Critical Security Patch Update Addresses 35 CVEs By Research Special Operations Subscribe Oracle addresses 35 CVEs in its May 2026 Critical Security Patch Update with 35 patches, including 11 critical updates. Key Takeaways The May 2026 Critical Security Patch Update (CSPU) contains fixes for 35 unique CVEs in 35 security updates 11 issues (31.4% of all patches) were assigned a critical severity rating Oracle E-Business Suite received the highest number of patches at 12, accounting for 34.3% of all patches Background On May 28, Oracle released its Critical Security Patch Update (CSPU) for May 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 35 unique CVEs in 35 security updates across 5 Oracle product families. Out of the 35 security updates published, 31.4% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 51.4%, followed by critical severity patches at 31.4%. This month's update includes 11 critical patches across 11 CVEs. Severity Issues Patched CVEs Critical 11 11 High 18 18 Medium 6 6 Low 0 0 Total 35 35 Analysis This month's update saw the Oracle E-Business Suite product family contain the highest number of patches at 12, accounting for 34.3% of the total patches, followed by Oracle REST Data Services at 11 patches, which accounted for 31.4% of the total patches. A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication. Oracle Product Family Number of Patches Remote Exploit without Auth Oracle E-Business Suite 12 3 Oracle REST Data Services 11 7 Oracle Communications 8 4 Oracle Database Server 3 3 Oracle Hospitality Applications 1 1 Solution Customers are advised to apply all relevant patches in this CSPU. Please refer to the May 2026 advisory for full details. Identifying affected systems A list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released. Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface. Author Learn more Research Special Operations The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this han... Read more Oracle Critical Security Patch Update Advisory - May 2026 Oracle May 2026 Critical Security Patch Update Risk Matrices Oracle Advisory to CVE Map Related articles RESEARCH MAY 28 2026 Download pumping: New npm deception technique for supply chain attacks By Ron Popov RESEARCH MAY 27 2026 Inside the customer environment: Where threat actors, vulnerabilities, and… By Trevor Farthing AI SECURITY MAY 26 2026 EXPOSURE 2026 prepares cybersecurity professionals for the AI era By Team Tenable Exposure Management Vulnerability Management Tenable Lumin Tenable Nessus Tenable Nessus Network Monitor Tenable One Tenable Patch Management Tenable Security Center Tenable Security Center Plus Tenable Vulnerability Management