Oracle has debuted its monthly Critical Security Patch Update (CSPU) with patches for 77 vulnerabilities, including a dozen critical-severity flaws.
Announced in early May, the monthly rollouts are meant to supplement the quarterly Critical Patch Update (CPU) fixes and resolve high-priority issues faster.
The first CSPU landed at the end of May and will be followed by another in mid-June. July will see the release of a quarterly CPU, with two additional CSPUs planned for August 18 and September 15.
The May 2026 CSPU resolves security defects in five Oracle products, namely Database Server, REST Data Services, Communications, E-Business Suite, and Hospitality Applications.
E-Business Suite received 12 new security patches, including three for vulnerabilities that can be exploited remotely, without authentication.
Oracle announced 11 new security patches for REST Data Services, including seven for bugs exploitable by remote, unauthenticated attackers. The fixes also resolve four bugs in third-party components, including three that are non-exploitable in this Oracle product family.
Communications received eight new security patches, four of which address bugs that can be exploited remotely without authentication. The updates fix 38 additional CVEs in third-party components.
Database Server received fixes for three security defects, all of which are exploitable remotely without authentication, while Hospitality Applications received one security patch for an issue that can be exploited by remote, unauthenticated attackers.
Approximately a dozen of the addressed flaws are critical-severity vulnerabilities, and the majority of the remaining ones are high-severity weaknesses.
Organizations are advised to apply the available updates as soon as possible, as threat actors are known to have targeted vulnerabilities in Oracle products for which patches have been released.
“In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply security patches without delay,” the company notes.
Related: Chrome 148 Update Patches 151 Vulnerabilities
Related: Oracle Patches 450 Vulnerabilities With April 2026 CPU
Related: WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites
Related: Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs
