Oracle has released its April 2026 Critical Patch Update (CPU), addressing a total of 481 security issues that correspond to approximately 450 unique vulnerabilities across 28 product families.
A significant portion of these flaws—over 300—are classified as remotely exploitable without authentication, meaning attackers could potentially compromise affected systems over a network without requiring user credentials.
Among the patched issues, several dozen were rated as critical severity, highlighting the serious risk posed to enterprise environments if left unaddressed. The vulnerabilities span a wide range of Oracle products, including communications platforms, financial services applications, and middleware systems.
Oracle Communications received the highest number of fixes in this update, with 139 patches, including 93 vulnerabilities that could be exploited remotely without authentication. Financial Services Applications followed with 75 patches, while Fusion Middleware accounted for 59 fixes, many of which also involved high-risk, remotely exploitable flaws.
The update also includes patches for third-party components integrated into Oracle products, reflecting the growing complexity of enterprise software ecosystems and the risks associated with supply chain dependencies.
Oracle’s Critical Patch Updates are released quarterly and are considered essential for maintaining system security. Security experts strongly recommend that organizations apply these patches promptly, as unpatched vulnerabilities in widely used enterprise systems are often targeted by attackers shortly after disclosure.
The scale of this update underscores the increasing volume and severity of security threats facing enterprise software, reinforcing the importance of proactive patch management and continuous monitoring to mitigate potential cyber risks.
, addressing a total of 481 security issues that correspond to approximately){kind=link}