CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 29, 2026

Oracle Critical Security Update – Patch for 35 New Vulnerabilities Across Products

Cybersecurity News Archived May 29, 2026 ✓ Full text saved

Oracle has rolled out its first Critical Security Patch Update (CSPU), delivering 35 new security fixes for serious vulnerabilities across several major product lines, including Oracle Database, Oracle REST Data Services, Oracle Communications Unified Assurance, Oracle E‑Business Suite, and Oracle Hospitality OPERA 5. This new CSPU model is designed as a smaller, focused set of […] The post Oracle Critical Security Update – Patch for 35 New Vulnerabilities Across Products appeared first on Cyber

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Oracle Critical Security Update – Patch for 35 New Vulnerabilities Across Products By Abinaya May 29, 2026 Oracle has rolled out its first Critical Security Patch Update (CSPU), delivering 35 new security fixes for serious vulnerabilities across several major product lines, including Oracle Database, Oracle REST Data Services, Oracle Communications Unified Assurance, Oracle E‑Business Suite, and Oracle Hospitality OPERA 5. This new CSPU model is designed as a smaller, focused set of high‑priority fixes that complements Oracle’s existing quarterly Critical Patch Updates (CPUs), giving customers a faster way to remediate critical issues between the larger cumulative releases. The May 28, 2026 CSPU marks the debut of Oracle’s monthly security patching cycle, with future CSPUs planned for most third Tuesdays of the month. Unlike CPUs, which can contain hundreds of fixes across dozens of product families, this CSPU concentrates on 35 new vulnerabilities that Oracle has assessed as requiring accelerated attention. Oracle Critical Security Update These patches cover both Oracle’s own code and widely used third‑party components embedded in Oracle products, such as Apache Kafka, ActiveMQ, Tomcat, ZooKeeper, MySQL, PCRE2, libpng, and Apache HTTP Server. In the database stack, Oracle Database Server versions 23.4.0 through 23.26.2 receive three new security patches for the Net Service component. All three issues, tracked as CVE‑2026‑46833, CVE‑2026‑46834, and CVE‑2026‑46835, can be exploited remotely over TLS without authentication, and the fixes apply even to client‑only installations that do not have a full database server deployed. This makes patching essential for any environment where Oracle client libraries are exposed to untrusted networks or intermediary services. Oracle REST Data Services (ORDS) versions 24.2.0 to 26.1.0 are particularly affected, with 11 new security patches and additional updates for bundled third‑party components. Seven of these flaws are remotely exploitable over HTTPS without user credentials, affecting ORDS core, Backend‑as‑a‑Service, MongoAPI, and the Eclipse Jetty stack. CVE‑2026‑46840 in the Backend‑as‑a‑Service component carries a CVSS v3.1 base score of 10.0, signaling complete compromise of confidentiality, integrity, and availability if exploited on an exposed ORDS endpoint. Oracle Communications Unified Assurance versions 6.1.1 through 7.0.0 receive eight new patches, including four vulnerabilities that are remotely exploitable without authentication in messaging and core web components. The CSPU also delivers 12 new fixes for Oracle E‑Business Suite 12.2.3–12.2.15, impacting modules such as Payments, Payroll, iAssets, Flow Manufacturing, and Financials Common Modules, with several CVSS scores of 9.8 and 9.9 over HTTP or HTTPS. In the hospitality domain, Oracle Hospitality OPERA 5 Property Services is affected by CVE‑2026‑34311, a critical remote issue scoring 9.8 and impacting multiple 5.6.x releases. Oracle Security Alert issues provide CVSS-rated vulnerabilities, detailed advisories, risk matrices, and CSAF feeds for automated security management. The advisory stresses that attackers continue to exploit already‑patched flaws where customers have delayed updates successfully, and strongly urges immediate deployment of CSPU patches on all supported versions. While temporary risk reduction may be possible by blocking affected network protocols or stripping unnecessary privileges. Oracle warns that such measures can break application functionality and must not be treated as long‑term substitutes for patching the underlying code. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Quasar Linux RAT Targets Developers With Fileless Execution and eBPF Rootkit Google Employee Charged for Making $1.2 Million With Confidential Information WhatsApp Chat Histories Stored Unencrypted on macOS and iOS Veeam Backup & Replication Tool Vulnerability Enables Privilege Escalation Attacks Hackers Abuse Shared CDN Edge IPs to Bypass Protective DNS Filtering Latest News Cyber Security News Malicious RVTools Installer Abuses Sectigo Certificate to Bypass SmartScreen Warnings Cyber Security News Critical Samba Vulnerability Enables Remote Code Execution Attacks Chrome Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones Cyber Security News Google Employee Charged for Making $1.2 Million With Confidential Information Cyber Security News VS Code Remote-SSH RCE Lets Attackers Pivot From Developer Machines to Cloud Servers
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 29, 2026
    Archived
    May 29, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗