CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Oracle’s First 2026 CPU Delivers 337 New Security Patches

Oracle’s January 2026 CPU resolves roughly 230 unique vulnerabilities across more than 30 products. The post Oracle’s First 2026 CPU Delivers 337 New Security Patches appeared first on SecurityWeek.

Oracle patches

Oracle has released 337 new security patches for over 30 products as part of its first Critical Patch Update (CPU) for 2026.

There appear to be roughly 230 unique CVEs in Oracle’s January 2026 CPU advisory.

More than two dozen of the fresh fixes resolve critical-severity vulnerabilities and over 235 patches address flaws that are remotely exploitable without authentication.

Roughly half a dozen patches address CVE-2025-66516 (CVSS score of 10/10), a critical defect in Apache Tika that could lead to XML External Entity (XXE) injection attacks.

Impacting three modules of Apache Tika, the vulnerability can be exploited by placing crafted XFA files inside PDF documents.

Oracle products that received patches for the issue include Commerce, Communications, Construction and Engineering, Fusion Middleware, and PeopleSoft.

Once again, Oracle Communications received the largest number of security fixes, at 56. Of these 34 resolve bugs that can be exploited by remote, unauthenticated attackers.

Next in line is Fusion Middleware, with 51 new security patches, including 47 for weaknesses that can be exploited remotely, without authentication.

Financial Services Applications received 38 new fixes (33 for remotely exploitable, unauthenticated issues), while MySQL got 20 patches (7 for flaws that can be exploited by remote, unauthenticated attackers).

This month, Siebel CRM, Retail Applications, and Virtualization received 14 security patches each, but the number of issues that are remotely exploitable without authentication differs (11, 10, and 1, respectively).

A significant number of fixes were also rolled out for Hyperion (12 patches – 10 for remotely exploitable, unauthenticated vulnerabilities), PeopleSoft (12 – 10), Java SE (11 – 11), and Supply Chain (10 – 8).

More than two dozen Oracle products received fewer than 10 new security fixes, including Construction and Engineering (8 – 7), Analytics (8 – 6), E-Business Suite (8 – 2), Commerce (7 – 6), JD Edwards (7 – 5), Database Server (7 – 2), HealthCare Applications (6 – 6), Utilities Applications (5 – 4), GoldenGate (5 – 3), and Health Sciences Applications (5 – 3).

Many of the products that were updated also received fixes for additional flaws and non-exploitable bugs. For several products, Oracle only patched non-exploitable third-party CVEs.

On Tuesday, Oracle published a security bulletin describing 14 new security patches for the Oracle Solaris Operating System, including 11 for bugs that can be exploited remotely, without authentication.

Related: Oracle Releases October 2025 Patches

Related: Cisco Patches Vulnerability Exploited by Chinese Hackers

Related: Fortinet Patches Critical Vulnerabilities in FortiFone, FortiSIEM

Related: SAP’s January 2026 Security Updates Patch Critical Vulnerabilities

Latest News

CYBERNEWSMEDIAPublisher