Oracle Critical Security Patch Update Pre-Release Announcement - June 2026


Description

This Critical Security Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Security Patch Update for June 2026, which will be released on Tuesday, June 16, 2026.  While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Security Patch Update Advisory.

A Critical Security Patch Update (CSPU) provides targeted, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption. Critical Security Patch Updates complement Oracle’s existing quarterly cumulative Critical Patch Updates (CPUs). This Critical Security Patch Update addresses 251 new security patches. Some of the vulnerabilities addressed in this Critical Security Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Security Patch Update patches as soon as possible.

Executive Summaries

Oracle GoldenGate Executive Summary

This Critical Security Patch Update contains 2 new security patches for Oracle GoldenGate.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle GoldenGate is 7.8.

The Oracle GoldenGate products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

  • Oracle GoldenGate, versions 21.3-21.21, 23.4-23.26.1

Oracle Communications Executive Summary

This Critical Security Patch Update contains 2 new security patches for Oracle Communications.  Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Communications is 7.5.

The Oracle Communications products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

  • Oracle Communications Convergent Charging Controller, versions 15.0.0.0.0-15.0.1.0.0, 15.1.0.0.0-15.2.0.0.0
  • Oracle Communications Network Charging and Control, versions 15.0.0.0.0-15.0.1.0.0, 15.1.0.0.0-15.2.0.0.0

Oracle E-Business Suite Executive Summary

This Critical Security Patch Update contains 60 new security patches for Oracle E-Business Suite.  7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle E-Business Suite is 9.9.

The Oracle E-Business Suite products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

  • Oracle E-Business Suite, versions 12.2.3-12.2.15, V15, V16

Oracle Enterprise Manager Executive Summary

This Critical Security Patch Update contains 16 new security patches for Oracle Enterprise Manager.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  None of these patches are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager installed.

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Enterprise Manager is 9.9.

The Oracle Enterprise Manager products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

  • APM - Application Performance Management, versions 13.5, 24.1
  • Oracle Enterprise Manager Base Platform, versions 13.5, 24.1

Oracle Fusion Middleware Executive Summary

This Critical Security Patch Update contains 106 new security patches for Oracle Fusion Middleware.  53 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Fusion Middleware is 10.0.

The Oracle Fusion Middleware products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

  • Identity Manager, versions 12.2.1.4.0, 14.1.2.1.0
  • Identity Manager Connector, version 12.2.1.4.0
  • Oracle Access Manager, versions 12.2.1.4.0, 14.1.2.1.0
  • Oracle Application Development Framework (ADF), versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0
  • Oracle Data Integrator, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle Unified Directory, versions 12.2.1.4.0, 14.1.2.1.0
  • Oracle Virtual Directory, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle WebCenter Content, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle WebCenter Enterprise Capture, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle WebCenter Portal, versions 12.2.1.4.0, 14.1.2.0.0
  • Oracle WebCenter Sites, versions 12.2.1.4.0, 14.1.2.0.0, 14.1.2.1.0
  • WebCenter Content: Imaging, versions 12.2.1.4.0, 14.1.2.0.0
  • WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0

Oracle JD Edwards Executive Summary

This Critical Security Patch Update contains 20 new security patches for Oracle JD Edwards.  13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle JD Edwards is 9.9.

The Oracle JD Edwards products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

  • JD Edwards EnterpriseOne Accounts Payable, version 9.2
  • JD Edwards EnterpriseOne General Ledger, version 9.2
  • JD Edwards EnterpriseOne Human Resources Management, version 9.2
  • JD Edwards EnterpriseOne Order Promising, version 9.2
  • JD Edwards EnterpriseOne Project Costing, version 9.2
  • JD Edwards EnterpriseOne Tools, versions 9.2.0.0-9.2.26.2

Oracle MySQL Executive Summary

This Critical Security Patch Update contains 8 new security patches for Oracle MySQL.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 9.9.

The Oracle MySQL products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

  • MySQL NDB Cluster, versions 8.0.11-8.0.46, 8.4.0-8.4.9, 9.7.0
  • MySQL Router, versions 8.4.0-8.4.9, 9.7.0
  • MySQL Server, versions 8.4.0-8.4.9, 9.7.0
  • MySQL Shell, versions 8.4.0-8.4.9, 9.7.0

Oracle PeopleSoft Executive Summary

This Critical Security Patch Update contains 11 new security patches for Oracle PeopleSoft.  8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle PeopleSoft is 8.8.

The Oracle PeopleSoft products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

  • PeopleSoft Enterprise CS Campus Community, version 9.2.38
  • PeopleSoft Enterprise CS Student Financials, version 9.2.38
  • PeopleSoft Enterprise PT PeopleTools, versions 8.61, 8.62

Oracle Siebel CRM Executive Summary

This Critical Security Patch Update contains 12 new security patches for Oracle Siebel CRM.  7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Siebel CRM is 9.8.

The Oracle Siebel CRM products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

  • Siebel Applications, versions 17.0-26.5

Oracle Supply Chain Executive Summary

This Critical Security Patch Update contains 1 new security patch for Oracle Supply Chain.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Supply Chain is 9.8.

The Oracle Supply Chain products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

  • Oracle Agile PLM, version 9.3.6

Oracle Systems Executive Summary

This Critical Security Patch Update contains 3 new security patches for Oracle Systems.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Systems is 10.0.

The Oracle Systems products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

  • Oracle Solaris, version 11

Oracle Virtualization Executive Summary

This Critical Security Patch Update contains 10 new security patches for Oracle Virtualization.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Virtualization is 7.5.

The Oracle Virtualization products and versions affected by vulnerabilities that are addressed in this Critical Security Patch Update are:

  • Oracle VM VirtualBox, version 7.2.8