Oracle June 2026 Critical Security Patch Update Addresses 243 CVEs (CVE-2026-35273)

Oracle June 2026 Critical Security Patch Update Addresses 243 CVEs (CVE-2026-35273) By Research Special Operations Subscribe Oracle addresses 243 CVEs in its June 2026 Critical Security Patch Update with 245 patches, including 122 critical updates. Key Takeaways The June 2026 Critical Security Patch Update (CSPU) contains fixes for 243 unique CVEs in 245 security updates 122 issues (49.8% of all patches) were assigned a critical severity rating Oracle Fusion Middleware received the highest number of patches at 106, accounting for 43.3% of all patches Background On June 16, Oracle released its Critical Security Patch Update (CSPU) for June 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 243 unique CVEs in 245 security updates across 11 Oracle product families. Out of the 245 security updates published, 49.8% of patches were assigned a critical severity. Critical severity patches accounted for the bulk of security patches at 49.8%, followed by high severity patches at 42.4%. This month's update includes 122 critical patches across 122 CVEs. Severity Issues Patched CVEs Critical 122 122 High 104 102 Medium 15 15 Low 4 4 Total 245 243 Analysis This month's update saw the Oracle Fusion Middleware product family contain the highest number of patches at 106, accounting for 43.3% of the total patches, followed by Oracle E-Business Suite at 55 patches, which accounted for 22.4% of the total patches. A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication. Oracle Product Family Number of Patches Remote Exploit without Auth Oracle Fusion Middleware 106 53 Oracle E-Business Suite 55 6 Oracle JD Edwards 20 12 Oracle Enterprise Manager 16 6 Oracle Siebel CRM 12 7 Oracle PeopleSoft 11 7 Oracle Virtualization 10 0 Oracle MySQL 8 4 Oracle Communications 3 3 Oracle Systems 3 1 Oracle Supply Chain 1 1 Oracle PeopleSoft zero-day exploited On June 10, Oracle published an out-of-band Security Alert Advisory for CVE-2026-35273, a remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools. On June 11, researchers at Google Threat Intelligence Group (GTIG) and Mandiant published a blog post confirming that CVE-2026-35273 was exploited in the wild as a zero-day by the extortion group ShinyHunters (UNC6240). The campaign, which affected over 100 global organizations, primarily impacted organizations within the United States, 68% of which were in the higher education sector. Organizations are advised to apply the available patches as soon as possible. Solution Customers are advised to apply all relevant patches in this CSPU. Please refer to the June 2026 advisory for full details. Identifying affected systems A list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released. Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface. Author Learn more Research Special Operations The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this han... Read more Oracle Critical Security Patch Update Advisory - June 2026 Oracle June 2026 Critical Security Patch Update Risk Matrices Oracle Advisory to CVE Map Related articles PRODUCTS JUN 16 2026 Improving precision in CTEM: How continuous controls validation in Tenable One… By Nathan Dyer CYBER EXPOSURE ALERTS JUN 9 2026 Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE… By Research Special Operations AI SECURITY JUN 4 2026 The June 2026 AI Executive Order: What federal agencies need to know and how… By Jill Shapiro Exposure Management Vulnerability Management Tenable Lumin Tenable Nessus Tenable Nessus Network Monitor Tenable One Tenable Patch Management Tenable Security Center Tenable Security Center Plus Tenable Vulnerability Management