ORACLE released 481 new security patches as part of its April 2026 Critical Patch Update (CPU), covering 28 product families. Across those products, more than 300 fixes address vulnerabilities that are remotely exploitable without authentication, with roughly three dozen fixes addressing critical-severity flaws. The CPU listing shows approximately 450 unique CVEs, around 240 of which appear in risk matrix tables, plus additional CVEs fixed as well as third-party issues not exploitable in Oracle’s products.
Oracle Communications received the largest number of patches this month, at 139, including 93 for vulnerabilities that are remotely exploitable without authentication, while Financial Services Applications had 75 new fixes (59 remote, unauthenticated) and Fusion Middleware 59 (46 remotely exploitable, without authentication).
The release also patches for MySQL (34 fixes – 3 remote, unauthenticated), PeopleSoft (21 – 7), E-Business Suite (18 – 8), Analytics (15 – 11), Retail Applications (15 – 15), and Siebel CRM (14 – 13). Approximately 390 of the vulnerabilities resolved were publicly disclosed over the past two years, with the remainder from 2022–2024 and five older disclosures dating back to 2020–2021. Oracle published the April 2026 CPU one month after releasing an emergency patch for CVE-2026-21992.