Oracle addresses 158 CVEs in its first quarterly update of 2026 with 337 patches, including 27 critical updates.
Key takeaways:
The first Critical Patch Update (CPU) for 2026, contains fixes for 158 unique CVEs in 337 security updates.
27 issues (8% of all patches) were assigned a critical severity rating.
CVE-2026-21945, a high severity Server-Side Request Forgery (SSRF) vulnerability in Oracle Java was discovered by Tenable Research.
Background
On January 20, Oracle released its Critical Patch Update (CPU) for January 2026, the first quarterly update of 2026. This CPU contains fixes for 158 unique CVEs in 337 security updates across 30 Oracle product families. Out of the 337 security updates published this quarter, 8% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 45.7%, followed by medium severity patches at 42.4%.
This quarter’s update includes 27 critical patches across 13 CVEs.
Severity
Issues Patched
CVEs
Critical
27
13
High
154
67
Medium
143
69
Low
13
9
Total
337
158
Analysis
This quarter, the Oracle Zero Data Loss Recovery Appliance product family contained the highest number of patches at 56, accounting for 16.6% of the total patches, followed by Oracle Enterprise Manager at 51 patches, which accounted for 15.1% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
Oracle Product Family
Number of Patches
Remote Exploit without Auth
Oracle Zero Data Loss Recovery Appliance
56
34
Oracle Enterprise Manager
51
47
Oracle E-Business Suite
38
33
Oracle Java SE
20
7
Oracle MySQL
14
10
Oracle PeopleSoft
14
11
Oracle Systems
14
1
Oracle HealthCare Applications
12
10
Oracle JD Edwards
12
10
Oracle Hospitality Applications
11
11
Oracle Retail Applications
10
8
Oracle Commerce
8
7
Oracle Communications
8
2
Oracle Financial Services Applications
8
6
Oracle Database Server
7
2
Oracle TimesTen In-Memory Database
7
6
Oracle Hyperion
7
5
Oracle Analytics
6
6
Oracle GoldenGate
5
3
Oracle Fusion Middleware
5
3
Oracle Siebel CRM
5
1
Oracle Supply Chain
5
4
Oracle Construction and Engineering
4
4
Oracle Health Sciences Applications
4
4
Oracle APEX
1
0
Oracle Essbase
1
1
Oracle Graph Server and Client
1
0
Oracle Key Vault
1
0
Oracle NoSQL Database
1
1
Oracle Secure Backup
1
1
Tenable Research discovery
As part of the January CPU, Oracle addressed CVE-2026-21945, a high severity Server-Side Request Forgery (SSRF) vulnerability in Oracle Java that is remotely exploitable without authentication. When successfully exploited, it can be leveraged to exhaust resources, causing a denial-of-service (DoS) condition. You can read more about the discovery in our blog post and in our Tenable Research Advisory (TRA).
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2026 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this hand-picked group of world-class security researchers is united with one mission: to cut through the noise and deliver critical intelligence about the most dangerous cyber threats emerging right now. Uniting the missions of the Tenable Security Response, Zero-Day Research, and Decision Science Operations teams, RSO disseminates timely, accurate, and actionable information about the latest threats and exposures.
Exposure Management
Vulnerability Management
Cybersecurity news you can use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Tenable Vulnerability Management
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Web App Scanning.
Tenable Vulnerability Management
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose your subscription option:
Thank You
Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.
Tenable Vulnerability Management
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Web App Scanning.
Tenable Vulnerability Management
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose your subscription option:
Thank you
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Tenable Vulnerability Management
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Web App Scanning.
Tenable Vulnerability Management
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose your subscription option:
Thank you
Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.
Try Tenable Web App Scanning
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management.
Buy Tenable Web App Scanning
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
Request a demo
Tenable Security Center
Identify and prioritize vulnerabilities based on risk to your business. Managed on premises.
Request a demo
Tenable OT Security
Close OT exposure with the unified security solution for converged OT/IT environments.
Request a demo
Tenable Identity Exposure
Close identity exposure with the essential solution for the identity-intelligent enterprise.
Request a demo
Tenable Cloud Security
Close cloud exposure with the actionable cloud security platform.
Request a demo
Tenable One
The world’s leading AI-powered exposure management platform.
Request a demo
Tenable AI Exposure
See, secure, and manage how your teams use AI platforms.
Request a demo
Tenable Attack Surface Management
Gain visibility into your internet-connected assets to eliminate blind spots and unknown sources of risk.
Request a demo
Tenable Enclave Security
Know, expose and close IT and container vulnerabilities.
Thank You
Thank you for your interest in Tenable Enclave Security. A representative will be in touch soon.
Try Tenable Nessus Professional free
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
Fill out the form below to continue with a Nessus Pro trial.
Buy Tenable Nessus Professional
Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.
Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.
Try Tenable Nessus Professional free
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
Fill out the form below to continue with a Nessus Pro trial.
Buy Nessus Pro
Adopt the gold standard in vulnerability assessment to find and fix security gaps across your IT environment.
With Advanced Support for Nessus Pro, your teams will have access to phone,
Community, and chat support 24 hours a day, 365 days a year. This advanced level of technical support
helps to ensure faster response times and resolution to your questions and issues.
Advanced Support Plan Features
Phone Support
Phone support 24 hours a day, 365 days a year, available for up to ten (10) named support contacts.
Chat Support
Chat support available to named support contacts, accessible via the Tenable Community is available
24 hours a day, 365 days a year.
Tenable Community Support Portal
All named support contacts can open support cases within the Tenable Community. Users can also access
the Knowledge Base, documentation, license information, technical support numbers, etc.; utilize live
chat, ask questions to the Community, and learn about tips and tricks from other Community members.
Support contacts must be reasonably proficient in the use of information technology, the software
they have purchased from Tenable, and familiar with the customer resources that are monitored by means
of the software. Support contacts must speak English and conduct support requests in English. Support
contacts must provide information reasonably requested by Tenable for the purpose of reproducing any
Error or otherwise resolving a support request.
Try Tenable Nessus Expert free
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
With Advanced Support for Nessus Pro, your teams will have access to phone,
Community, and chat support 24 hours a day, 365 days a year. This advanced level of technical support
helps to ensure faster response times and resolution to your questions and issues.
Advanced Support Plan Features
Phone Support
Phone support 24 hours a day, 365 days a year, available for up to ten (10) named support contacts.
Chat Support
Chat support available to named support contacts, accessible via the Tenable Community is available
24 hours a day, 365 days a year.
Tenable Community Support Portal
All named support contacts can open support cases within the Tenable Community. Users can also access
the Knowledge Base, documentation, license information, technical support numbers, etc.; utilize live
chat, ask questions to the Community, and learn about tips and tricks from other Community members.
Support contacts must be reasonably proficient in the use of information technology, the software
they have purchased from Tenable, and familiar with the customer resources that are monitored by means
of the software. Support contacts must speak English and conduct support requests in English. Support
contacts must provide information reasonably requested by Tenable for the purpose of reproducing any
Error or otherwise resolving a support request.
Learn How Tenable Helps Achieve SLCGP Cybersecurity Plan Requirements
Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.
Request a demo
Tenable Patch Management
Streamline security and IT collaboration and shorten the mean time to remediate with automation.
