Oracle Critical Patch Update, June 2026 Security Update Review

Oracle released its third quarterly edition of this year’s Critical Patch Update. The update received patches for 245 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.

In this quarterly Oracle Critical Patch Update, Oracle Fusion Middleware received the highest number of patches, 106, constituting about 44% of the total patches released.

4 of the 245 (about 2%) security patches provided by the June Critical Patch Update are for non-Oracle CVEs, such as open-source components included in and exploitable within Oracle product distributions.

In these security updates, Oracle has covered product families, including Oracle Communications, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Fusion Middleware, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, and Oracle Virtualization.

Notable Oracle Vulnerabilities Patched

Oracle Fusion Middleware

This Critical Patch Update for Oracle Fusion Middleware received 106 security patches. Out of these, 53 vulnerabilities can be exploited over a network without user credentials.

A total of 67 vulnerabilities have critical severity ratings. Successful exploitation of these vulnerabilities can lead to remote code execution.

Oracle E-Business Suite

This Critical Patch Update for Oracle E-Business Suite received 55 security patches. Out of these, six vulnerabilities can be exploited over a network without user credentials.

A total of 16 vulnerabilities have critical severity ratings. Successful exploitation of these vulnerabilities can lead to remote code execution.

Oracle JD Edwards

This Critical Patch Update for Oracle JD Edwards received 20 security patches. Out of these, 12 vulnerabilities can be exploited over a network without user credentials.

A total of 18 vulnerabilities have critical severity ratings. Successful exploitation of these vulnerabilities can lead to remote code execution.

Oracle MySQL

This Critical Patch Update for Oracle MySQL received eight security patches. Out of these, four vulnerabilities can be exploited over a network without user credentials.

CVE-2026-46850, CVE-2026-46860, and CVE-2026-46861 have critical severity and a CVSS score of 9.9, 9.8, and 9.6, respectively. Successful exploitation of the vulnerabilities can result in remote code execution.

Oracle PeopleSoft

This Critical Patch Update for Oracle PeopleSoft received 11 security patches. Out of these, seven vulnerabilities can be exploited over a network without user credentials.

CVE-2026-35278 in the Performance Monitor of PeopleSoft Enterprise PT PeopleTools has critical severity with CVSS scores of 9.8. Successful exploitation of this vulnerability can result in remote code execution.

Visit the Oracle Critical Patch Update June 2026 (CPUJUN2026) page to describe each vulnerability and the systems it affects.

Customers can scan their network with QIDs 387699, 20581, 20582, and 296137 to detect vulnerable assets. 

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References:
https://www.oracle.com/security-alerts/cspujun2026.html