Oracle Critical Patch Update Pre-Release Announcement - July 2026

 

Description

This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for July 2026, which will be released on Tuesday, July 21, 2026.  While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Patch Update addresses 1455 new security patches. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible.

Executive Summaries

Oracle Database Server Executive Summary

This Critical Patch Update contains 16 new security patches for Oracle Database Products.  7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Database Server is 9.9.

The Oracle Database Server components and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Database Server, versions 19.3-19.31, 21.3-21.22, 23.4.0-23.26.2

Oracle APEX Executive Summary

This Critical Patch Update contains 3 new security patches for Oracle APEX.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle APEX is 5.5.

The Oracle APEX products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle APEX, versions 24.1, 24.2, 26.1

Oracle Autonomous Health Framework Executive Summary

This Critical Patch Update contains 4 new security patches for Oracle Autonomous Health Framework.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Autonomous Health Framework is 8.1.

The Oracle Autonomous Health Framework products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Autonomous Health Framework, versions 25.1, 26.0.0, 26.1.0, 26.2.0, 26.3.0, 26.5.0

Oracle Essbase Executive Summary

This Critical Patch Update contains 1 new security patch for Oracle Essbase.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Essbase is 5.4.

The Oracle Essbase products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Essbase, version 21.8.1.0.0

Oracle Global Lifecycle Management Executive Summary

This Critical Patch Update contains 1 new security patch for Oracle Global Lifecycle Management.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Global Lifecycle Management is 8.1.

The Oracle Global Lifecycle Management products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • OPatch, versions 12.2.0.1.16-12.2.0.1.51

Oracle GoldenGate Executive Summary

This Critical Patch Update contains 27 new security patches for Oracle GoldenGate.  9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle GoldenGate is 9.1.

The Oracle GoldenGate products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • GoldenGate Stream Analytics, versions 19.1.0.0.0-19.1.0.0.15, 26.1.0.0.0
  • Oracle GoldenGate, versions 19.1.0.0.0-19.30.0.0, 21.3-21.21, 23.4-23.26.2
  • Oracle GoldenGate Big Data and Application Adapters, versions 21.3-21.20, 23.4-23.26.1
  • Oracle GoldenGate Stream Analytics, versions 19.1.0.0.0-19.1.0.0.15

Oracle NoSQL Database Executive Summary

This Critical Patch Update contains 1 new security patch for Oracle NoSQL Database.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle NoSQL Database is 7.3.

The Oracle NoSQL Database products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle NoSQL Database, version 1.7

Oracle Spatial Studio Executive Summary

This Critical Patch Update contains 1 new security patch for Oracle Spatial Studio.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Spatial Studio is 7.5.

The Oracle Spatial Studio products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Spatial Studio, version 25.2.0

Oracle SQL Developer Executive Summary

This Critical Patch Update contains 5 new security patches for Oracle SQL Developer.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle SQL Developer is 9.1.

The Oracle SQL Developer products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle SQL Developer, versions 26.1.0, 26.2.0

Oracle TimesTen In-Memory Database Executive Summary

This Critical Patch Update contains 14 new security patches for Oracle TimesTen In-Memory Database.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle TimesTen In-Memory Database is 9.9.

The Oracle TimesTen In-Memory Database products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • TimesTen In-Memory Database, versions 18.1.4, 18.1.4.1.0-18.1.4.54.0, 22.1.1, 22.1.1.1.0-22.1.1.38.0, 26.1.1.1.0

Oracle Application Testing Suite Executive Summary

This Critical Patch Update contains 4 new security patches for Oracle Application Testing Suite.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Application Testing Suite is 9.8.

The Oracle Application Testing Suite components and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Application Testing Suite, version 13.3.0.1

Oracle Commerce Executive Summary

This Critical Patch Update contains 39 new security patches for Oracle Commerce.  27 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Commerce is 9.9.

The Oracle Commerce products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Commerce Guided Search, version 11.4.0
  • Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version 11.4.0
  • Oracle Commerce Guided Search Platform Services, version 11.4.0
  • Oracle Commerce Platform, version 11.4.0
  • Oracle Commerce Service Center, version 11.4.0

Oracle Communications Executive Summary

This Critical Patch Update contains 168 new security patches for Oracle Communications.  122 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Communications is 9.8.

The Oracle Communications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Management Cloud Engine, version 25.2.0.0.0
  • Oracle Cloud Native Session Border Controller, version 26.0.0
  • Oracle Communications Billing and Revenue Management, versions 15.0.0.0.0, 15.0.1.0.0, 15.1.0.0.0, 15.2.0.0.0
  • Oracle Communications BRM - Elastic Charging Engine, versions 15.0.0.0.0, 15.0.1.0.0, 15.1.0.0.0, 15.2.0.0.0
  • Oracle Communications Cloud Native Core Binding Support Function, versions 25.1.200, 25.2.200, 25.2.201
  • Oracle Communications Cloud Native Core Certificate Management, version 25.2.200
  • Oracle Communications Cloud Native Core Console, versions 25.1.203, 25.2.201
  • Oracle Communications Cloud Native Core DBTier, versions 25.1.200, 25.2.200
  • Oracle Communications Cloud Native Core Network Exposure Function, versions 24.2.0, 24.2.5
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 25.2.200
  • Oracle Communications Cloud Native Core Network Repository Function, version 25.2.201
  • Oracle Communications Cloud Native Core Network Slice Selection Function, version 25.2.200
  • Oracle Communications Cloud Native Core Policy, versions 24.2.0, 24.2.7, 25.1.200, 25.2.200
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 25.1.203, 25.2.200
  • Oracle Communications Cloud Native Core Service Communication Proxy, versions 25.1.200, 25.2.100, 25.2.200
  • Oracle Communications Cloud Native Core Unified Data Repository, versions 25.2.200, 25.200
  • Oracle Communications Converged Application Server, versions 8.2, 8.3
  • Oracle Communications Convergent Charging Controller, versions 15.0.0.0.0, 15.2.0.0.0
  • Oracle Communications Diameter Signaling Router, versions 6.0.2.2.0, 6.1.0.0.0, 6.2.0.0.0, 6.3.0.0.0, 9.0.0, 9.0.0.0.0-10.0.15
  • Oracle Communications Instant Messaging Server, version 10.0.1.8.0
  • Oracle Communications Messaging Server, version 8.1.0.0
  • Oracle Communications Network Analytics Data Director, versions 24.2.0, 24.2.0.0.1, 24.3.4, 25.1.200, 25.2.100, 25.2.200
  • Oracle Communications Network Charging and Control, versions 15.0.0.0.0, 15.0.1.0.0
  • Oracle Communications Network Integrity, versions 7.3.6, 7.4.0, 7.5.0, 8.0.0
  • Oracle Communications Offline Mediation Controller, versions 15.0.0.0.0-15.2.0.0.0
  • Oracle Communications Operations Monitor, versions 5.2, 6.0, 6.1
  • Oracle Communications Order and Service Management, versions 7.4.1, 7.5.0, 8.0.0
  • Oracle Communications Performance Intelligence Center, versions 10.5.0.1.0, 10.5.0.2.0
  • Oracle Communications Policy Management, version 15.0.0.0
  • Oracle Communications Pricing Design Center, versions 15.0.0.0.0, 15.0.1.0.0, 15.1.0.0.0, 15.2.0.0.0
  • Oracle Communications Service Catalog and Design, versions 8.0.0.7.0-8.3.0.3.0
  • Oracle Communications Session Border Controller, versions 9.3.0, 10.0.0, 10.1.0
  • Oracle Communications Unified Assurance, versions 6.1.1-7.0.0
  • Oracle Communications Unified Inventory Management, versions 7.5.0, 7.5.1, 7.6.0, 7.7.0, 7.8.0, 8.0.1
  • Oracle Communications User Data Repository, version 15.0
  • Oracle Enterprise Communications Broker, versions 4.2.0, 5.0.0, 5.1.0

Oracle Construction and Engineering Executive Summary

This Critical Patch Update contains 7 new security patches for Oracle Construction and Engineering.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Construction and Engineering is 9.8.

The Oracle Construction and Engineering products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Primavera Gateway, versions 21.12-21.12.17
  • Primavera P6 Enterprise Project Portfolio Management, versions 21.12.0.0-21.12.21.8, 22.12.0.0-22.12.21.2, 23.12.0-23.12.19, 24.12.0-24.12.14, 25.12.0-25.12.4
  • Primavera Unifier, versions 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.16, 24.12.0-24.12.14, 25.12.0-25.12.6

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 416 new security patches for Oracle E-Business Suite.  63 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle E-Business Suite is 9.8.

The Oracle E-Business Suite products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle E-Business Suite, versions 12.2.3-12.215, V16

Oracle Enterprise Manager Executive Summary

This Critical Patch Update contains 27 new security patches for Oracle Enterprise Manager.  13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Enterprise Manager is 9.8.

The Oracle Enterprise Manager products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Enterprise Manager Base Platform, versions 13.5, 24.1
  • Oracle Enterprise Manager for Fusion Middleware, version 13.5
  • Oracle Enterprise Manager for MySQL Database, version 13.5.4.0.0

Oracle Financial Services Applications Executive Summary

This Critical Patch Update contains 23 new security patches for Oracle Financial Services Applications.  18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Financial Services Applications is 9.8.

The Oracle Financial Services Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Banking Corporate Lending Process Management, versions 14.6.0-14.8.0
  • Oracle Banking Liquidity Management, versions 14.5.0-14.8.0
  • Oracle Banking Origination, versions 14.5.0-14.8.0
  • Oracle Banking Payments, versions 14.5.0-14.8.0
  • Oracle Banking Trade Finance, versions 14.6.0-14.8.0
  • Oracle Banking Trade Finance Process Management, versions 14.6.0-14.8.0
  • Oracle Banking Virtual Account Management, versions 14.5.0-14.8.0
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.9.0, 8.0.8.7.0, 8.1.2.5.0

Oracle Food and Beverage Applications Executive Summary

This Critical Patch Update contains 4 new security patches for Oracle Food and Beverage Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Food and Beverage Applications is 9.1.

The Oracle Food and Beverage Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Hospitality Simphony, versions 19.8-19.8.5, 19.9-19.9.3, 19.10

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 359 new security patches for Oracle Fusion Middleware.  224 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Fusion Middleware is 10.0.

The Oracle Fusion Middleware products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Access Manager, versions 12.2.1.4.0, 14.1.2.1.0, 15.1.1.0.0
  • Oracle Business Process Management Suite, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0
  • Oracle Data Integrator, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Enterprise Data Quality, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Fusion Middleware, versions 12.2.1.4.0, 14.1.2.1.0
  • Oracle Global Lifecycle Management NextGen OUI Framework, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 14.1.2.1.0, 15.1.1.0.0
  • Oracle HTTP Server, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Identity Manager, versions 12.2.1.4.0, 14.1.2.1.0
  • Oracle Identity Manager Connector, versions 12.2.1.4.0, 14.1.2.1.0
  • Oracle JDeveloper, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Managed File Transfer, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Middleware Common Libraries and Tools, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Platform Security for Java, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Security Service, version 12.2.1.4.0
  • Oracle SOA Suite, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Unified Directory, versions 12.2.1.4.0, 14.1.2.1.0
  • Oracle WebCenter Content, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle WebCenter Enterprise Capture, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle WebCenter Portal, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle WebCenter Sites, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0
  • Oracle Weblogic Server Proxy Plug-in, versions 12.2.1.4.0, 14.1.2.0.0, 15.1.1.0.0
  • Service Delivery Platform, version 14.1.2.0.0
  • WebCenter Content: Imaging, versions 12.2.1.4.0, 14.1.2.0.0

Oracle Analytics Executive Summary

This Critical Patch Update contains 6 new security patches for Oracle Analytics.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Analytics is 9.9.

The Oracle Analytics products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle BI Publisher, versions 8.2.0.0.0, 12.2.1.4.0, 26.1.0.0.0
  • Oracle Business Intelligence Enterprise Edition, versions 8.2.0.0.0, 26.1.0.0.0

Oracle HealthCare Applications Executive Summary

This Critical Patch Update contains 4 new security patches for Oracle HealthCare Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle HealthCare Applications is 7.5.

The Oracle HealthCare Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Health Sciences Information Manager, versions 4.0.0-4.0.2
  • Oracle Healthcare Data Repository, versions 8.2.0.0-8.2.0.7
  • Oracle Healthcare Master Person Index, versions 5.0.0.0-5.0.9.6

Oracle Hospitality Applications Executive Summary

This Critical Patch Update contains 2 new security patches for Oracle Hospitality Applications.  Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Hospitality Applications is 9.8.

The Oracle Hospitality Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Hospitality Cruise Shipboard Property Management (SPMS), versions 23.1, 23.2

Oracle Java SE Executive Summary

This Critical Patch Update contains 20 new security patches for Oracle Java SE.  18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Java SE is 7.8.

The Oracle Java SE products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle GraalVM Enterprise Edition, version 21.3.18
  • Oracle GraalVM for JDK, versions 17.0.19, 21.0.11
  • Oracle Java SE, versions 8u491, 8u491-b50, 8u491-perf, 11.0.31, 17.0.19, 21.0.11, 25.0.3, 26.0.1

Oracle JD Edwards Executive Summary

This Critical Patch Update contains 21 new security patches for Oracle JD Edwards.  5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle JD Edwards is 9.9.

The Oracle JD Edwards products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • JD Edwards EnterpriseOne Advanced Pricing - Procurement, version 9.2
  • JD Edwards EnterpriseOne Configurator, version 9.2
  • JD Edwards EnterpriseOne CRM Foundation, version 9.2
  • JD Edwards EnterpriseOne General Ledger, version 9.2
  • JD Edwards EnterpriseOne HCM Foundation, version 9.2
  • JD Edwards EnterpriseOne Human Resources Management, version 9.2
  • JD Edwards EnterpriseOne Procurement and Subcontract Management, version 9.2
  • JD Edwards EnterpriseOne Requirements Planning, version 9.2
  • JD Edwards EnterpriseOne Solution Advisor, version 9.2
  • JD Edwards EnterpriseOne Tools, version 9.2.26.3

Oracle MySQL Executive Summary

This Critical Patch Update contains 53 new security patches for Oracle MySQL.  9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 8.5.

The Oracle MySQL products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • MySQL Cluster, versions 8.0.0-8.0.47, 8.4.0-8.4.10, 9.0.0-9.7.1, 8.0.0-8.0.49, 8.4.0-8.4.10, 9.0.0-9.7.1
  • MySQL Connectors, versions 9.0.0-9.7.1
  • MySQL Router, versions 8.4.0-8.4.10, 9.0.0-9.7.1
  • MySQL Server, versions 8.0.0-8.0.46, 8.4.0-8.4.10, 9.0.0-9.7.1

Oracle PeopleSoft Executive Summary

This Critical Patch Update contains 84 new security patches for Oracle PeopleSoft.  45 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle PeopleSoft is 9.9.

The Oracle PeopleSoft products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • PeopleSoft Enterprise CC Common Application Objects, version 9.2
  • PeopleSoft Enterprise CRM Common Objects, version 9.2.23
  • PeopleSoft Enterprise CS Campus Community, version 9.2.38
  • PeopleSoft Enterprise CS Financial Aid, version 9.2.38
  • PeopleSoft Enterprise CS Student Financials, version 9.2.38
  • PeopleSoft Enterprise CS Student Records, version 9.2.38
  • PeopleSoft Enterprise FIN Billing Argentina, version 9.1
  • PeopleSoft Enterprise FIN Cash Management, version 9.2
  • PeopleSoft Enterprise FIN Common Objects, version 9.2
  • PeopleSoft Enterprise FIN Common Objects Argentina, version 9.1
  • PeopleSoft Enterprise FIN Common Objects Brazil, version 9.1
  • PeopleSoft Enterprise FIN Engineering Argentina, version 9.1
  • PeopleSoft Enterprise FIN eSettlements, version 9.2
  • PeopleSoft Enterprise FIN Expenses, version 9.2
  • PeopleSoft Enterprise FIN General Ledger Argentina, version 9.1
  • PeopleSoft Enterprise FIN Grants, version 9.2
  • PeopleSoft Enterprise FIN Manufacturing Argentina, version 9.1
  • PeopleSoft Enterprise FIN Manufacturing Brazil, version 9.1
  • PeopleSoft Enterprise FIN Pay/Bill Management, version 9.2
  • PeopleSoft Enterprise FIN Payables, version 9.2
  • PeopleSoft Enterprise FIN Program Management, version 9.2
  • PeopleSoft Enterprise FIN Project Costing, version 9.2
  • PeopleSoft Enterprise FIN Staffing Front Office, version 9.2
  • PeopleSoft Enterprise FIN Staffing Front Office Brazil, version 9.1
  • PeopleSoft Enterprise HCM Global Payroll Mexico, version 9.2
  • PeopleSoft Enterprise HCM Global Payroll Switzerland, version 9.2
  • PeopleSoft Enterprise HCM Human Resources, version 9.2
  • PeopleSoft Enterprise HCM Talent Acquisition Manager, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.61, 8.62
  • PeopleSoft Enterprise PT PeopleTools, versions 8.61, 8.62
  • PeopleSoft Enterprise SCM eProcurement, version 9.2
  • PeopleSoft Enterprise SCM Inventory, version 9.2
  • PeopleSoft Enterprise SCM Manufacturing, version 9.2
  • PeopleSoft Enterprise SCM Mobile Inventory Management, version 9.2
  • PeopleSoft Enterprise SCM Order Management, version 9.2
  • PeopleSoft Enterprise SCM Purchasing, version 9.2
  • PeopleSoft Enterprise SCM Supplier Contract Management, version 9.2
  • PeopleSoft In-Memory Project Discovery, version 9.2

Oracle Retail Applications Executive Summary

This Critical Patch Update contains 22 new security patches for Oracle Retail Applications.  20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Retail Applications is 9.8.

The Oracle Retail Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Retail Allocation, versions 16.0.3, 19.0.1
  • Oracle Retail Bulk Data Integration, versions 16.0.3, 19.0.1
  • Oracle Retail EFTLink, versions 21.0.0-25.0.0
  • Oracle Retail Extract Tranform and Load, version 13.2.8
  • Oracle Retail Financial Integration, versions 16.0.3, 19.0.1
  • Oracle Retail Integration Bus, versions 14.1.3.2, 16.0.3, 19.0.1
  • Oracle Retail Invoice Matching, versions 16.0.3, 19.0.1
  • Oracle Retail Price Management, version 16.0.3
  • Oracle Retail Pricing, versions 16.0.3, 19.0.1
  • Oracle Retail Service Backbone, versions 16.0.3, 19.0.1
  • Oracle Retail Xstore Point of Service, versions 21.0.3, 21.0.5-25.0.1

Oracle Siebel CRM Executive Summary

This Critical Patch Update contains 45 new security patches for Oracle Siebel CRM.  32 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Siebel CRM is 9.9.

The Oracle Siebel CRM products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Siebel Applications, versions 17.0-26.5

Oracle Supply Chain Executive Summary

This Critical Patch Update contains 39 new security patches for Oracle Supply Chain.  16 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Supply Chain is 9.9.

The Oracle Supply Chain products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Agile Engineering Data Management, version 6.2.1
  • Oracle Agile PLM, version 9.3.6
  • Oracle Agile PLM MCAD Connector, version 3.6
  • Oracle Agile Product Lifecycle Management for Process, version 6.2.4
  • Oracle Demantra Demand Management, versions 12.2.6-12.2.14
  • Oracle Product Lifecycle Analytics, version 3.6.1
  • Oracle Transportation Management, version 6.5.3

Oracle Systems Executive Summary

This Critical Patch Update contains 9 new security patches for Oracle Systems.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Systems is 9.8.

The Oracle Systems products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Solaris, versions 11.3, 11.4

Oracle Utilities Applications Executive Summary

This Critical Patch Update contains 14 new security patches for Oracle Utilities Applications.  10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Utilities Applications is 9.8.

The Oracle Utilities Applications products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle Utilities Application Framework, versions 4.3.0.5.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0-4.4.0.4.0, 4.5.0.0.0-4.5.0.1.1, 4.5.0.1.3, 4.5.0.2.0, 25.4, 25.10, 26.4
  • Oracle Utilities Network Management System, versions 2.4.0.1.0-2.4.0.1.32, 2.5.0.1.0-2.5.0.1.17, 2.5.0.2.0-2.5.0.2.11, 2.6.0.1.0-2.6.0.1.12, 2.6.0.2.0-2.6.0.2.8, 25.12.0.0.0-25.12.0.0.2
  • Oracle Utilities Testing Accelerator, versions 7.0.0.0.8, 7.0.0.1.7, 25.4.0.0.3

Oracle Virtualization Executive Summary

This Critical Patch Update contains 16 new security patches for Oracle Virtualization.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Virtualization is 7.8.

The Oracle Virtualization products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are:

  • Oracle VM VirtualBox, versions 7.2.8, 7.2.12