Oracle has released the first security fixes in its new monthly Critical Security Patch Update (CSPU) cycle, designed to address urgent vulnerabilities that can’t wait for the company’s quarterly patching. The initial batch addresses 35 flaws, including several for which exploit code is publicly available.
In total, there are 11 flaws rated ‘critical’, 18 rated ‘high’, and 6 ‘medium’. The most important on paper are 10 critically-rated flaws, including those affecting Oracle REST Data Services (CVE-2026-46840, CVE-2026-46775, CVE-2026-46839), Oracle E-Business Suite (CVE-2026-46822), the Oracle Universal Work Queue portal (CVE-2026-46824), and Oracle Payments (CVE-2026-46817).
Despite the high CVSS scores for those bugs, patching teams will probably want to start with a clutch of older but still serious flaws for which proof-of-concept (PoC) exploit code reportedly exists: CVE-2025-15467, CVE-2025-58050, and CVE-2026-25646 in Oracle Communications Unified Assurance network management, and CVE-2026-2332 in Oracle REST Data Services.
All relate to open source components embedded in Oracle products, and one, CVE-2025-58050, was first made public last August, underlining how long it can take to patch supply chain flaws in modern platforms.
Another priority fix should be CVE-2026-46840, with a perfect CVSS rating of ’10’. It’s a vulnerability in the backend-as-a-service component of REST Data Services versions 24.2.0 through 26.1.0.
REST Data Services is a gateway that exposes corporate databases via APIs. This flaw makes that interface easily exploitable by an unauthenticated attacker via HTTPS, resulting in a takeover of the gateway, making it a high priority for attackers.
Also deserving to be on the high priority list are the two flaws affecting the REST Data Services core, CVE-2026-46775 and CVE-2026-46839. Rated CVSS 9.9, all that stops these from being CVSS 10 flaws is the need for network credentials to exploit them.
Oracle ‘third Tuesday’
Announced earlier this month, the monthly CSPU is meant to be a smaller update patching high-severity flaws ahead of the larger, more general Critical Patch Updates (CPUs) updates that will continue to be released on a quarterly basis. The initial CSPU was released last Thursday.
In its update notes, Oracle said that the CSPU “provides targeted, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption.”
Despite the publicity around automated AI vulnerability hunting systems such as OpenAI’s Trusted Access for Cyber program or Claude Mythos, both of which Oracle has said it has access to, none of May’s vulnerability discoveries were attributed to these systems.
The change to a monthly update cycle brings Oracle into line with software vendors such as Microsoft and Adobe, and appears to be a reaction to the growth in the volume of more serious vulnerabilities now being reported.
In the future, the company will release CSPUs on the third Tuesday of each month, with the first four scheduled for June 16, July 21, August 18, and September 15. Oracle cloud customers are patched automatically.
No Responses