Oracle January Critical Patch Update Fixes CVSS 10.0 Oracle Fusion Middleware Flaw
Oracle released its January 2026 Critical Patch Update (CPU), delivering 337 security updates addressing 158 unique CVEs across roughly 30 product families; 27 of the updates were rated critical. Tenable’s analysis highlights broad exposure to remotely exploitable issues without authentication across multiple Oracle product lines, and notes CVE-2026-21945, a high-severity SSRF issue in Oracle Java, was discovered by Tenable Research.
A standout issue in the CPU is CVE-2026-21962 (CVSS 10.0), an easily exploitable, unauthenticated, network-reachable (HTTP) vulnerability in Oracle Fusion Middleware components Oracle HTTP Server and the WebLogic Server Proxy Plug-ins (Apache and IIS). Successful exploitation can enable unauthorized creation, deletion, or modification of critical data and potentially broader downstream impact due to a scope change (S:C), meaning compromise may significantly affect additional products; affected versions include 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0 (with the IIS proxy plug-in affected in 12.2.1.4.0 only).
Timeline
Jan 20, 2026
Oracle discloses and fixes critical CVE-2026-21962 in Fusion Middleware
Oracle's January 2026 CPU addressed CVE-2026-21962, a CVSS 10.0 unauthenticated remote vulnerability affecting Oracle HTTP Server and the WebLogic Server Proxy Plug-in. Oracle said the flaw could allow attackers to compromise affected systems over HTTP, including creating, deleting, or modifying data, and urged customers to apply patches or restrict access to exposed HTTP ports.
Jan 20, 2026
Oracle patches CVE-2026-21945 in Java SE
Oracle's January 2026 CPU fixed CVE-2026-21945, a high-severity server-side request forgery vulnerability in Oracle Java SE discovered by Tenable Research. The flaw was remotely exploitable without authentication and could be abused to exhaust resources and cause denial of service.
Jan 20, 2026
Oracle releases January 2026 Critical Patch Update
On 2026-01-20, Oracle released its January 2026 Critical Patch Update, providing 337 security updates for 158 unique CVEs across 30 product families. The update included 27 critical-severity patches, with many vulnerabilities remotely exploitable without authentication.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
Oracle Critical Patch Update Addresses Multiple High-Risk Enterprise Product Flaws
Oracle-related security advisories were issued for multiple enterprise products, including **Oracle Database Server**, **Oracle Fusion Middleware**, **Oracle REST Data Services**, **Oracle Java SE**, **Oracle Financial Services Applications**, and **Oracle E-Business Suite**. Germany's dCERT published separate advisories for each affected product line, indicating broad exposure across core Oracle infrastructure and business application environments. One of the disclosed flaws, **`CVE-2026-34275`**, affects the **Setup and Administration** component of **Oracle Advanced Inbound Telephony** in **Oracle E-Business Suite** versions **12.2.3 through 12.2.15**. Oracle rated the issue **critical** with a **CVSS v3.1 score of 9.8**, stating that an **unauthenticated attacker** with **network access over HTTP** could exploit it to achieve **full takeover** of the affected application. The vulnerability was disclosed as part of Oracle's broader Critical Patch Update, underscoring the need for organizations running Oracle platforms to prioritize patch review and remediation across exposed systems.
2 weeks ago
Oracle Critical Patch Update Fixes High-Severity Flaws in Enterprise Manager, Identity Manager, and PeopleTools
Oracle disclosed three high-severity vulnerabilities affecting core enterprise products in its Critical Patch Update advisory. **CVE-2026-34279** impacts the Event Management component of Oracle Enterprise Manager Base Platform versions `13.5` and `24.1` and is rated `CVSS 9.1`; Oracle said a high-privileged attacker with network access over HTTP could exploit the flaw to take over the platform, with potential impact extending to additional products because of a scope change. **CVE-2026-34286**, also rated `CVSS 9.1`, affects the Core component of Oracle Identity Manager Connector in Oracle Fusion Middleware version `12.2.1.4.0` and can be exploited by an unauthenticated attacker over HTTPS. Oracle also reported **CVE-2026-34309** in the Security component of PeopleSoft Enterprise PeopleTools versions `8.61` through `8.62`, assigning it a `CVSS 8.1` score. The flaw is described as easily exploitable by a low-privileged attacker with network access over HTTP and could allow unauthorized creation, deletion, or modification of critical data, along with access to sensitive or complete accessible data. Across the three disclosures, Oracle warned that successful exploitation could result in platform compromise, data tampering, and broad unauthorized access in widely deployed enterprise management and identity systems.
2 weeks ago
Oracle Critical Patch Update Addresses Multiple Vulnerabilities Across Products
Oracle released its October 2025 Critical Patch Update, addressing security vulnerabilities in a wide range of Oracle products. The advisory highlights the importance of applying the latest patches to mitigate risks associated with these vulnerabilities, which could potentially allow attackers to compromise affected systems. The update includes fixes for several critical flaws, including two severe vulnerabilities in Oracle Marketing products (CVE-2025-53072 and CVE-2025-62481) that could enable full system takeover if left unpatched. Security agencies have urged organizations to review Oracle's advisory and implement the recommended updates promptly to protect their environments. The vulnerabilities span multiple Oracle product lines, underscoring the need for comprehensive patch management and timely response to vendor advisories to reduce exposure to exploitation and potential business impact.
1 months ago