Oracle on Tuesday announced the release of 481 new security patches as part of its April 2026 Critical Patch Update (CPU).
Across the 28 product families that received security updates, more than 300 patches address vulnerabilities that are remotely exploitable without authentication. Roughly three dozen fixes resolve critical-severity security defects.
There appear to be approximately 450 unique CVEs listed on the latest Oracle CPU page. Approximately 240 are included in the risk matrix tables, but additional CVEs have been fixed as well, along with third-party issues not exploitable in Oracle’s products.
In some cases, the same CVE was patched in multiple products. For some products, Oracle did not release new security patches for exploitable weaknesses, but rolled out third-party patches.
Oracle Communications received the largest number of security patches this month, at 139, including 93 for vulnerabilities that are remotely exploitable without authentication.
Financial Services Applications was the second-most-impacted Oracle product, with 75 new security fixes, 59 of which addressed remote, unauthenticated bugs. Fusion Middleware followed closely, with 59 patches (46 flaws exploitable remotely, without authentication).
Oracle also released a significant number of patches for MySQL (34 fixes – 3 for issues exploitable by remote, unauthenticated attackers), PeopleSoft (21 – 7), E-Business Suite (18 – 8), Analytics (15 – 11), Retail Applications (15 – 15), and Siebel CRM (14 – 13).
Several products received close to a dozen patches each, including Java SE (11 – 7), GoldenGate (10 – 7), Enterprise Manager (9 – 8), Virtualization (9 – 1), and Database Server (8 – 4).
Fixes were also released for Adapter for Eclipse RDF4J, Autonomous Health Framework, Blockchain Platform, REST Data Services, TimesTen In-Memory Database, Commerce, Construction and Engineering, Life Science Applications, Hospitality Applications, Hyperion, JD Edwards, Supply Chain, Systems, and Utilities Applications.
Approximately 390 of the vulnerabilities resolved with the latest Oracle patches were publicly disclosed over the past two years. Most of the remaining ones are from 2022-2024, but five were disclosed over half a decade ago: four in 2021 and one in 2020.
Oracle published the April 2026 CPU one month after it released an emergency patch for CVE-2026-21992, a critical-severity remote code execution flaw in Identity Manager and Web Services Manager.
Related: Oracle’s First 2026 CPU Delivers 337 New Security Patches
Related: Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster
Related: Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities
Related: Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking
