Oracle Critical Patch Update, April 2026 Security Update Review
Table of Contents
Oracle released its second quarterly edition of this year’s Critical Patch Update. The update received patches for 481 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 139, constituting about 28% of the total patches released. Oracle Financial Services Applications and Oracle Fusion Middleware followed, with 75 and 59 security patches.
376 of the 481 security patches provided by the April Critical Patch Update (about 78%) are for non-Oracle CVEs, such as open-source components included in and exploitable within Oracle product distributions.
This batch of security patches received 27 updates for Oracle Database products. The following is the product-wise distribution:
- Eight new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 7.5.
- One of these updates applies to client-only deployments of the Oracle Database.
- Two new security updates for the Oracle Autonomous Health Framework with a maximum reported CVSS Base Score of 7.2.
- Three new security updates for Oracle Blockchain Platform with a maximum reported CVSS Base Score of 7.5.
- 10 new security updates for Oracle GoldenGate with a maximum reported CVSS Base Score of 7.5.
- Two new security updates for Oracle REST Data Services with a maximum reported CVSS Base Score of 7.5.
- One new security update for Oracle TimesTen In-Memory Database with a maximum reported CVSS Base Score of 7.4.
In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Adapter for Eclipse RDF4J, Oracle Autonomous Health Framework, Oracle Blockchain Platform, Oracle GoldenGate, Oracle REST Data Services, Oracle TimesTen In-Memory Database, Oracle Commerce, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Life Science Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.
Qualys QID Coverage
Qualys has released the following QIDS mentioned in the table:
| QIDs | Title |
| 20574 | Oracle E-Business Suite Security Update (CPUAPR2026) |
| 20573 | Oracle MySQL Server April 2026 Critical Patch Update (CPUAPR2026) |
| 20572 | Oracle Database 19c Critical Patch Update – April 2026 |
| 20571 | Oracle Database 19c OJVM Critical Patch Update – April 2026 |
| 20570 | Oracle Database 21c Critical Patch Update – April 2026 |
| 387130 | Oracle MySQL Connectors April 2026 Critical Patch Update (CPUAPR2026) |
| 387129 | Oracle Hypertext Transfer Protocol (HTTP) Server April 2026 Critical Patch Update (CPUAPR2026) |
| 387128 | Oracle Managed Virtualization (VM) VirtualBox April 2026 Critical Patch Update (CPUAPR2026) |
| 387117 | Oracle Java Standard Edition (SE) Critical Patch Update – April 2026 (CPUAPR2026) |
| 87606 | Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2026) |
| 296136 | Oracle Solaris 11.4 Support Repository Update (SRU) 92.214.1 Missing (CPU2026APR) |
Note: The table will be updated with additional QIDs once released.
Notable Oracle Vulnerabilities Patched
Oracle Communications
This Critical Patch Update for Oracle Communications received 139 security patches. Out of these, 93 vulnerabilities can be exploited over a network without user credentials.
CVE-2025-6965, CVE-2025-68615, CVE-2026-25968, CVE-2025-48913, CVE-2025-12543, CVE-2024-5535, CVE-2025-55130, and CVE-2025-58050 have critical severity and CVSS scores of 9.8, 9.6, and 9.1. Successful exploitation of these vulnerabilities can lead to remote code execution.
Oracle Financial Services Applications
This Critical Patch Update for Oracle Financial Services Applications received 75 security patches. Out of these, 59 vulnerabilities can be exploited over a network without user credentials.
CVE-2023-34034 and CVE-2023-44981 have critical severity and CVSS scores of 9.8, and 9.1, respectively. Successful exploitation of these vulnerabilities can lead to remote code execution.
Oracle Fusion Middleware
This Critical Patch Update for Oracle Fusion Middleware received 59 security patches. Out of these, 46 vulnerabilities can be exploited over a network without user credentials.
CVE-2022-45047, CVE-2025-68615, CVE-2026-34285, CVE-2026-34286, CVE-2026-34287, and CVE-2021-45046 have critical severity and CVSS scores of 9.8, 9.1, and 9.0, respectively. Successful exploitation of these vulnerabilities can lead to remote code execution.
Oracle MySQL
This Critical Patch Update for Oracle MySQL received 34 security patches. Out of these, three vulnerabilities can be exploited over a network without user credentials.
CVE-2025-15467 in the Enterprise Backup component of MySQL Enterprise Backup has critical severity and a CVSS score of 9.8. Successful exploitation of this vulnerability can result in remote code execution.
Oracle E-Business Suite receives
This Critical Patch Update for Oracle E-Business Suite received 18 security patches. Out of these, eight vulnerabilities can be exploited over a network without user credentials.
CVE-2026-34275 in the Setup and Administration component of Oracle Advanced Inbound Telephony has critical severity with CVSS scores of 9.8. Successful exploitation of this vulnerability can result in remote code execution.