Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070
contact_icon
Buy Try
Exposure Management
AI Security
Cloud Security
OT Security
Vulnerability Management
Hexa AI
Identity Security
Patch Management
Attack Surface Management
Web App Scanning
Security Tool Connectors
View all products

Explore By Use Case

Secure AI
Secure OT/IoT
Exposure Management
Cloud Security
Compliance
Vulnerability Management
Asset Inventory
Highly Secure Environments
Secure Data Centers
Zero-Trust

Explore By Industry

Financial Services
Energy
Healthcare
Technology
Education
Government Defense
Retail
Why choose Tenable
Industry recognition
Customer stories
Tenable vs competitors
Report
Tenable is the one clear leader in Exposure Management
See why
Resource library
Exposure management resources
Blog
Research center
Training and certification
Cybersecurity guide
Customer stories
Find a partner
Resources

Exposure management
resource center

Accelerate your exposure management strategy with practical resources and tools.
Explore
About Tenable
Leadership
Investor relations
Tenable ventures
Awards and recognition
Media room
Careers
Engagement and inclusion
Exposure Management Leadership Council
2-minute read May 28 2026

Oracle May 2026 Critical Security Patch Update Addresses 35 CVEs

Research Special Operations
By Research Special Operations
Subscribe
A header image for "tenable research special operations" on a dark background. The central text reads "Oracle Critical Security Patch Update (CSPU)" in white and blue lettering, with "May 2026" written below. The design features a white hexagonal logo in the center and an abstract pattern of white hexagons along the right edge.

Oracle addresses 35 CVEs in its May 2026 Critical Security Patch Update with 35 patches, including 11 critical updates.

Key Takeaways

  1. The May 2026 Critical Security Patch Update (CSPU) contains fixes for 35 unique CVEs in 35 security updates
  2. 11 issues (31.4% of all patches) were assigned a critical severity rating
  3. Oracle E-Business Suite received the highest number of patches at 12, accounting for 34.3% of all patches

Background

On May 28, Oracle released its Critical Security Patch Update (CSPU) for May 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 35 unique CVEs in 35 security updates across 5 Oracle product families. Out of the 35 security updates published, 31.4% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 51.4%, followed by critical severity patches at 31.4%.

Pie chart showing the count of patches released in the Oracle May 2026 Critical Security Patch Update (CSPU)

This month's update includes 11 critical patches across 11 CVEs.

SeverityIssues PatchedCVEs
Critical1111
High1818
Medium66
Low00
Total3535

Analysis

This month's update saw the Oracle E-Business Suite product family contain the highest number of patches at 12, accounting for 34.3% of the total patches, followed by Oracle REST Data Services at 11 patches, which accounted for 31.4% of the total patches.

A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product FamilyNumber of PatchesRemote Exploit without Auth
Oracle E-Business Suite123
Oracle REST Data Services117
Oracle Communications84
Oracle Database Server33
Oracle Hospitality Applications11

Solution

Customers are advised to apply all relevant patches in this CSPU. Please refer to the May 2026 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Author

Learn more

Research Special Operations

Research Special Operations

The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this han...

Read more

Learn more

Related articles

Research
Download pumping: New npm deception technique for supply chain attacks image
May 28 2026

Download pumping: New npm deception technique for supply chain attacks

Research
Inside the customer environment: Where threat actors, vulnerabilities, and… image
May 27 2026

Inside the customer environment: Where threat actors, vulnerabilities, and…

AI Security
EXPOSURE 2026 prepares cybersecurity professionals for the AI era image
May 26 2026

EXPOSURE 2026 prepares cybersecurity professionals for the AI era

  • Exposure Management
  • Vulnerability Management