Oracle April 2026 Critical Patch Update Addresses 481 Vulnerabilities

Severity: High (Score: 72.0)

Sources: Tenable, Blogs.Oracle, Digital.Nhs.Uk, Heise.De, www.oracle.com

Summary

On April 21, 2026, Oracle released its Critical Patch Update (CPU) for April 2026, which includes 481 security patches addressing 241 unique CVEs across 28 product families. Among these, 34 patches are classified as critical. The Oracle Communications product family is notably affected, with 139 vulnerabilities, 93 of which are remotely exploitable without authentication. Other affected systems include Oracle E-Business Suite and Oracle Fusion Middleware, which also have multiple vulnerabilities that can be exploited remotely. Customers are urged to apply these patches immediately to mitigate risks. The update follows ongoing reports of exploitation attempts against previously patched vulnerabilities, emphasizing the importance of timely patch application. This advisory highlights the critical nature of maintaining updated systems to defend against potential attacks. Key Points: • Oracle's April 2026 CPU includes 481 patches for 241 CVEs across 28 product families. • 34 of the patches are classified as critical, with 139 vulnerabilities in Oracle Communications. • Customers are strongly advised to apply the patches to prevent exploitation of known vulnerabilities.

Key Entities

• Malware (attack_type)
• Zero-day Exploit (attack_type)
• Oracle (company)
• CVE-2016-0000 (cve)
• CVE-2021-0000 (cve)
• CVE-2025-15467 (cve)
• CVE-2025-68615 (cve)
• CVE-2025-6965 (cve)
• E-Business Suite (platform)
• Fusion Middleware (platform)
• MySQL (platform)
• Oracle Adapter For Eclipse Rdf4j (platform)
• Oracle Analytics (platform)