Oracle CSPU: 35 Security Updates in May
Various Oracle products have security vulnerabilities. Updates are available to fix 35 vulnerabilities.
(Image: heise medien)
Oracle is known for its quarterly patch days, called “Critical Patch Update” (CPU); the last one took place in April and addressed 481 vulnerabilities. In May, the company has now pushed out a “critical security patch update” (CSPU) for the first time. These are intended to take place on the third Tuesday of months in which there is no regular CPU.
In the overview of the CSPU in May 2026, Oracle developers write that they are addressing 35 vulnerabilities in various products. For example, in Oracle databases, attackers from the network can exploit three vulnerabilities without prior authentication; client installations are also affected. The vulnerability CVE-2026-46833 has a risk rating of “critical” with a CVSS score of 9.0 . In Oracle REST Data Services, there are 11 “self-programmed” vulnerabilities and some from external software – seven of them are exploitable remotely without prior authentication. In Backend-as-a-Service, CVE-2026-46840 with CVSS 10.0 receives the highest possible risk rating as “critical.” With CVSS scores above 9, CVE-2026-46775, CVE-2026-46839, and CVE-2026-2332 also fall into this risk group.
In Oracle Communications, developers have patched eight vulnerabilities, only CVE-2026-33557 of which has a “critical” risk rating with CVSS 9.1. In addition, updates are available to close twelve security vulnerabilities in the Oracle E-Business Suite. Developers rate four vulnerabilities here with CVSS scores greater than 9 as a “critical” threat (CVE-2026-46822, CVE-2026-46824, CVE-2026-46817, and CVE-2026-46819). There is also an update to close a security vulnerability in Oracle Hospitality OPERA 5 Property Services (CVE-2026-34311, CVSS 9.8, risk “critical”).
Videos by heise
Apply updates now
Security vulnerabilities in Oracle products pose a real risk. For example, criminals last fall exploited a vulnerability in Oracle's E-Business Suite to steal sensitive data from hundreds of companies. Subsequently, the cyber gang Cl0p extorted ransom from affected companies. IT managers should therefore check whether they are using vulnerable Oracle software in their network and apply the available updates promptly.
(dmk)
