Aggregator

Oracle addresses 35 CVEs in its May 2026 Critical Security Patch Update with 35 patches, including 11 critical updates.

Key Takeaways

1. The May 2026 Critical Security Patch Update (CSPU) contains fixes for 35 unique CVEs in 35 security updates
2. 11 issues (31.4% of all patches) were assigned a critical severity rating
3. Oracle E-Business Suite received the highest number of patches at 12, accounting for 34.3% of all patches

Background

On May 28, Oracle released its Critical Security Patch Update (CSPU) for May 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 35 unique CVEs in 35 security updates across 5 Oracle product families. Out of the 35 security updates published, 31.4% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 51.4%, followed by critical severity patches at 31.4%.

This month's update includes 11 critical patches across 11 CVEs.

SeverityIssues PatchedCVEsCritical1111High1818Medium66Low00Total3535Analysis

This month's update saw the Oracle E-Business Suite product family contain the highest number of patches at 12, accounting for 34.3% of the total patches, followed by Oracle REST Data Services at 11 patches, which accounted for 31.4% of the total patches.

A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle E-Business Suite123Oracle REST Data Services117Oracle Communications84Oracle Database Server33Oracle Hospitality Applications11Solution

Customers are advised to apply all relevant patches in this CSPU. Please refer to the May 2026 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

• Oracle Critical Security Patch Update Advisory - May 2026
• Oracle May 2026 Critical Security Patch Update Risk Matrices
• Oracle Advisory to CVE Map

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

2-minute read May 28 2026

报告评选出全球35家智能体驱动的开发安全 (ADS) 工具代表厂商，奇安信成为亚太区少数入选的三家厂商之一。

Microsoft has identified an active supply chain attack targeting the npm package ecosystem. On

日本跨党派的“从安全保障思考解析不明异常现象议员联盟”会长滨田靖一（自民党）等人本月28日在日本国会内会晤官房长官木原稔，并提交建议书，要求为应对不明飞行物（UFO）等，在内阁官房设立统筹指挥功能。木

2026年5月29日 11:00软件资讯01.27K

正文以下接口缺少服务端权限校验：GET /voyager/api/voyagerPublishingDashS

A vulnerability classified as critical was found in Oracle Instantis EnterpriseTrack 17.1/17.2/17.3. This impacts an unknown function of the component Apache POI. Such manipulation leads to infinite loop. This vulnerability is referenced as CVE-2017-12626. It is possible to launch the attack remotely. No exploit is available. Upgrading the affected component is advised.

A vulnerability, which was classified as critical, has been found in Oracle Primavera Gateway 17.12. Affected is an unknown function of the component Apache POI. Performing a manipulation results in infinite loop. This vulnerability is identified as CVE-2017-12626. The attack can be initiated remotely. There is not any exploit available. It is advisable to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Oracle Primavera P6 Enterprise Project Portfolio Management up to 15.2.18/16.2.18/17.12.14/18.8.13. Affected by this vulnerability is an unknown functionality of the component Apache POI. Executing a manipulation can lead to infinite loop. This vulnerability is tracked as CVE-2017-12626. The attack can be launched remotely. No exploit exists. You should upgrade the affected component.

A vulnerability has been found in Oracle Primavera Unifier 16.1/16.2/17.12/18.8 and classified as critical. Affected by this issue is some unknown functionality of the component Apache POI. The manipulation leads to infinite loop. This vulnerability is listed as CVE-2017-12626. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.

A vulnerability, which was classified as critical, was found in Oracle Enterprise Repository 12.1.3.0.0. This impacts an unknown function of the component Apache POI. Executing a manipulation can lead to infinite loop. The identification of this vulnerability is CVE-2017-12626. The attack may be launched remotely. There is no exploit available. You should upgrade the affected component.

A vulnerability categorized as critical has been discovered in Oracle Application Testing Suite 12.5.0.3/13.1.0.1/13.2.0.1/13.3.0.1. Impacted is an unknown function of the component Load Testing for Web Apps. The manipulation results in infinite loop. This vulnerability was named CVE-2017-12626. The attack may be performed from remote. There is no available exploit. It is advisable to upgrade the affected component.

A vulnerability labeled as critical has been found in Oracle Application Testing Suite 12.5.0.3/13.1.0.1/13.2.0.1/13.3.0.1. The impacted element is an unknown function of the component Oracle Flow Builder. Such manipulation leads to infinite loop. This vulnerability is referenced as CVE-2017-12626. It is possible to launch the attack remotely. No exploit is available. The affected component should be upgraded.

A vulnerability, which was classified as critical, has been found in Oracle Endeca Information Discovery Studio 36559. Impacted is an unknown function of the component Studio. The manipulation leads to infinite loop. This vulnerability is referenced as CVE-2017-12626. Remote exploitation of the attack is possible. No exploit is available. It is advisable to upgrade the affected component.

A vulnerability was found in Oracle PeopleSoft Enterprise PeopleTools 8.56/8.57. It has been rated as critical. The impacted element is an unknown function of the component Change Impact Analyzer. The manipulation leads to infinite loop. This vulnerability is referenced as CVE-2017-12626. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is advised.

A vulnerability labeled as critical has been found in Oracle Agile PLM 9.3.3/9.3.4/9.3.5/9.3.6. Affected by this vulnerability is an unknown functionality of the component Security. Executing a manipulation can lead to infinite loop. The identification of this vulnerability is CVE-2017-12626. The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.

A vulnerability, which was classified as critical, was found in Oracle Communications Diameter Signaling Router 8.0.0/8.1.0/8.2.0/8.2.1. This impacts an unknown function of the component IDIH Visualization. Executing a manipulation can lead to infinite loop. This vulnerability is handled as CVE-2017-12626. The attack can be executed remotely. There is not any exploit available. You should upgrade the affected component.

A vulnerability classified as critical was found in Oracle Communications Unified Inventory Management 7.3.0/7.4.0. Affected is an unknown function of the component Bulk Import. Executing a manipulation can lead to infinite loop. This vulnerability appears as CVE-2017-12626. The attack may be performed from remote. There is no available exploit. Upgrading the affected component is advised.

A vulnerability was found in Oracle FLEXCUBE Private Banking 12.0/12.1 and classified as critical. Impacted is an unknown function of the component Core. The manipulation results in infinite loop. This vulnerability is cataloged as CVE-2017-12626. The attack may be launched remotely. There is no exploit available. It is suggested to upgrade the affected component.