Oracle on Tuesday announced the release of its June 2026 Critical Security Patch Update (CSPU), the second since it began releasing monthly patches.
The company still releases its quarterly Critical Patch Updates, but it recently decided to supplement them with monthly patches to address more severe vulnerabilities.
The software giant said the latest round of CSPU updates delivers 245 new patches, including for Communications, E-Business Suite, Enterprise Manager, Fusion Middleware, JD Edwards, MySQL, PeopleSoft, Siebel CRM, Supply Chain, Systems, and Virtualization products.
[ Read: Oracle’s First Monthly Patches Resolve 77 Vulnerabilities ]
Roughly 120 vulnerabilities have been assigned a ‘critical’ severity rating based on CVSS score. According to Oracle, 100 flaws can be exploited remotely without authentication.
Of the total number of security holes, more than 100 were patched in Oracle Fusion Middleware, a vast majority rated ‘critical’ or ‘high’ severity.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches,” Oracle said in its advisory. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.”
However, the company has not mentioned the exploitation of zero-day vulnerabilities.
Security firms recently reported seeing the ShinyHunters cybercrime group exploiting an Oracle PeopleSoft flaw tracked as CVE-2026-35273. The attacks reportedly targeted at least 100 organizations, many in the education sector.
Oracle has urged users to patch the vulnerability, but its public documentation does not explicitly confirm in-the-wild exploitation.
Even the June CSPU advisory mentions CVE-2026-35273, but it does not include any information about active exploitation.
Related: Oracle WebLogic Vulnerability Exploited in the Wild
Related: Joomla, LiteSpeed Vulnerabilities Exploited in Attacks
Related: 3 Recently Patched Fortinet FortiSandbox Vulnerabilities in Hacker Crosshairs
Related: Cisco Patches Another SD-WAN Zero-Day Exploited in Attacks
