Oracle June 2026 Critical Security Patch Update Addresses 243 CVEs (CVE-2026-35273)

Oracle addresses 243 CVEs in its June 2026 Critical Security Patch Update with 245 patches, including 122 critical updates.Key TakeawaysThe June 2026 Critical Security Patch Update (CSPU) contains fixes for 243 unique CVEs in 245 security updates122 issues (49.8% of all patches) were assigned a critical severity ratingOracle Fusion Middleware received the highest number of patches at 106, accounting for 43.3% of all patchesBackgroundOn June 16, Oracle released its Critical Security Patch Update (CSPU) for June 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 243 unique CVEs in 245 security updates across 11 Oracle product families. Out of the 245 security updates published, 49.8% of patches were assigned a critical severity. Critical severity patches accounted for the bulk of security patches at 49.8%, followed by high severity patches at 42.4%.This month's update includes 122 critical patches across 122 CVEs.SeverityIssues PatchedCVEsCritical122122High104102Medium1515Low44Total245243AnalysisThis month's update saw the Oracle Fusion Middleware product family contain the highest number of patches at 106, accounting for 43.3% of the total patches, followed by Oracle E-Business Suite at 55 patches, which accounted for 22.4% of the total patches.A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle Fusion Middleware10653Oracle E-Business Suite556Oracle JD Edwards2012Oracle Enterprise Manager166Oracle Siebel CRM127Oracle PeopleSoft117Oracle Virtualization100Oracle MySQL84Oracle Communications33Oracle Systems31Oracle Supply Chain11Oracle PeopleSoft zero-day exploitedOn June 10, Oracle published an out-of-band Security Alert Advisory for CVE-2026-35273, a remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools. On June 11, researchers at Google Threat Intelligence Group (GTIG) and Mandiant published a blog post confirming that CVE-2026-35273 was exploited in the wild as a zero-day by the extortion group ShinyHunters (UNC6240). The campaign, which affected over 100 global organizations, primarily impacted organizations within the United States, 68% of which were in the higher education sector. Organizations are advised to apply the available patches as soon as possible.SolutionCustomers are advised to apply all relevant patches in this CSPU. Please refer to the June 2026 advisory for full details.Identifying affected systemsA list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.Get more informationOracle Critical Security Patch Update Advisory - June 2026Oracle June 2026 Critical Security Patch Update Risk MatricesOracle Advisory to CVE MapJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.