Oracle addresses 243 CVEs in its June 2026 Critical Security Patch Update with 245 patches, including 122 critical updates.
Key Takeaways
- The June 2026 Critical Security Patch Update (CSPU) contains fixes for 243 unique CVEs in 245 security updates
- 122 issues (49.8% of all patches) were assigned a critical severity rating
- Oracle Fusion Middleware received the highest number of patches at 106, accounting for 43.3% of all patches
Background
On June 16, Oracle released its Critical Security Patch Update (CSPU) for June 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 243 unique CVEs in 245 security updates across 11 Oracle product families. Out of the 245 security updates published, 49.8% of patches were assigned a critical severity. Critical severity patches accounted for the bulk of security patches at 49.8%, followed by high severity patches at 42.4%.
This month’s update includes 122 critical patches across 122 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 122 | 122 |
| High | 104 | 102 |
| Medium | 15 | 15 |
| Low | 4 | 4 |
| Total | 245 | 243 |
Analysis
This month’s update saw the Oracle Fusion Middleware product family contain the highest number of patches at 106, accounting for 43.3% of the total patches, followed by Oracle E-Business Suite at 55 patches, which accounted for 22.4% of the total patches.
A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Auth |
|---|---|---|
| Oracle Fusion Middleware | 106 | 53 |
| Oracle E-Business Suite | 55 | 6 |
| Oracle JD Edwards | 20 | 12 |
| Oracle Enterprise Manager | 16 | 6 |
| Oracle Siebel CRM | 12 | 7 |
| Oracle PeopleSoft | 11 | 7 |
| Oracle Virtualization | 10 | 0 |
| Oracle MySQL | 8 | 4 |
| Oracle Communications | 3 | 3 |
| Oracle Systems | 3 | 1 |
| Oracle Supply Chain | 1 | 1 |
Oracle PeopleSoft zero-day exploited
On June 10, Oracle published an out-of-band Security Alert Advisory for CVE-2026-35273, a remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools. On June 11, researchers at Google Threat Intelligence Group (GTIG) and Mandiant published a blog post confirming that CVE-2026-35273 was exploited in the wild as a zero-day by the extortion group ShinyHunters (UNC6240). The campaign, which affected over 100 global organizations, primarily impacted organizations within the United States, 68% of which were in the higher education sector. Organizations are advised to apply the available patches as soon as possible.
Solution
Customers are advised to apply all relevant patches in this CSPU. Please refer to the June 2026 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
