Oracle Critical Patch Update, June 2026 Security Update Review
Table of Contents
Oracle released its third quarterly edition of this year’s Critical Patch Update. The update received patches for 245 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Fusion Middleware received the highest number of patches, 106, constituting about 44% of the total patches released.
4 of the 245 (about 2%) security patches in the June Critical Patch Update are for non-Oracle CVEs, such as open-source components included in, and exploitable within, Oracle product distributions.
In these security updates, Oracle has covered product families such as Oracle Communications, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Fusion Middleware, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, and Oracle Virtualization.
Qualys QID Coverage
Qualys has released the following QIDS mentioned in the table:
| QIDs | Title |
| 20581 | Oracle MySQL Server June 2026 Critical Patch Update (CPUJUN2026) |
| 20582 | Oracle E-Business Suite Security Update (CPUJUN2026) |
| 296137 | Oracle Solaris 11.4 Support Repository Update (SRU) 93.221.2 Missing (CPUJUN2026) |
| 387699 | Oracle Managed Virtualization (VM) VirtualBox June 2026 Critical Patch Update (CSPUJUN2026) |
Note: The table will be updated with additional QIDs once released.
Notable Oracle Vulnerabilities Patched
Oracle Fusion Middleware
This Critical Patch Update for Oracle Fusion Middleware received 106 security patches. Out of these, 53 vulnerabilities can be exploited over a network without user credentials.
A total of 67 vulnerabilities have critical severity ratings. Successful exploitation of these vulnerabilities can lead to remote code execution.
Oracle E-Business Suite
This Critical Patch Update for Oracle E-Business Suite received 55 security patches. Out of these, six vulnerabilities can be exploited over a network without user credentials.
A total of 16 vulnerabilities have critical severity ratings. Successful exploitation of these vulnerabilities can lead to remote code execution.
Oracle JD Edwards
This Critical Patch Update for Oracle JD Edwards received 20 security patches. Out of these, 12 vulnerabilities can be exploited over a network without user credentials.
A total of 18 vulnerabilities have critical severity ratings. Successful exploitation of these vulnerabilities can lead to remote code execution.
Oracle MySQL
This Critical Patch Update for Oracle MySQL received eight security patches. Out of these, four vulnerabilities can be exploited over a network without user credentials.
CVE-2026-46850, CVE-2026-46860, and CVE-2026-46861 have critical severity and a CVSS score of 9.9, 9.8, and 9.6, respectively. Successful exploitation of the vulnerabilities can result in remote code execution.
Oracle PeopleSoft
This Critical Patch Update for Oracle PeopleSoft received 11 security patches. Out of these, seven vulnerabilities can be exploited over a network without user credentials.
CVE-2026-35278 in the Performance Monitor of PeopleSoft Enterprise PT PeopleTools has critical severity with CVSS scores of 9.8. Successful exploitation of this vulnerability can result in remote code execution.