Oracle's June 2026 Critical Security Patch Update Delivers 245 Patches, Including Fix for Actively Exploited PeopleSoft Flaw
Oracle released its June 2026 Critical Security Patch Update, the second monthly batch, addressing 245 vulnerabilities across major product families, including a PeopleSoft flaw exploited by the ShinyHunters group.
Oracle on Tuesday announced the release of its June 2026 Critical Security Patch Update (CSPU), the second since it began releasing monthly patches. The company still releases its quarterly Critical Patch Updates, but it recently decided to supplement them with monthly patches to address more severe vulnerabilities. The latest round delivers 245 new patches across Communications, E-Business Suite, Enterprise Manager, Fusion Middleware, JD Edwards, MySQL, PeopleSoft, Siebel CRM, Supply Chain, Systems, and Virtualization products.
Roughly 120 vulnerabilities have been assigned a 'critical' severity rating based on CVSS score. According to Oracle, 100 flaws can be exploited remotely without authentication. Of the total number of security holes, more than 100 were patched in Oracle Fusion Middleware, a vast majority rated 'critical' or 'high' severity.
Notably, the update includes a fix for CVE-2026-35273, a critical unauthenticated remote code execution vulnerability in PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. Security firms recently reported seeing the ShinyHunters cybercrime group exploiting this flaw, targeting at least 100 organizations, many in the education sector. Oracle has urged users to patch the vulnerability, but its public documentation does not explicitly confirm in-the-wild exploitation.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which it has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. However, the company has not mentioned the exploitation of zero-day vulnerabilities in this update.
Organizations running affected Oracle products are advised to apply the patches promptly. The June 2026 CSPU marks a significant step in Oracle's accelerated patching cadence, aiming to reduce the window of exposure for critical vulnerabilities. The inclusion of the PeopleSoft fix underscores the ongoing threat from groups like ShinyHunters, who continue to target unpatched enterprise software.