Oracle addresses 35 CVEs in its May 2026 Critical Security Patch Update with 35 patches, including 11 critical updates. Key Takeaways The May 2026 Critical Security Patch Update (CSPU) contains fixes for 35 unique CVEs in 35 security updates 11 issues (31.4% of all patches) were assigned a critical severity rating Oracle E-Business Suite received the highest number of patches at 12, accounting for 34.3% of all patches Background On May 28, Oracle released its Critical Security Patch Update (CSPU) for May 2026 . Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 35 unique CVEs in 35 security updates across 5 Oracle product families. Out of the 35 security updates published, 31.4% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 51.4%, followed by critical severity patches at 31.4%. This month's update includes 11 critical patches across 11 CVEs. Severity Issues Patched CVEs Critical 11 11 High 18 18 Medium 6 6 Low 0 0 Total 35 35 Analysis This month's update saw the Oracle E-Business Suite product family contain the highest number of patches at 12, accounting for 34.3% of the total patches, followed by Oracle REST Data Services at 11 patches, which accounted for 31.4% of the total patches. A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication. Oracle Product Family Number of Patches Remote Exploit without Auth Oracle E-Business Suite 12 3 Oracle REST Data Services 11 7 Oracle Communications 8 4 Oracle Database Server 3 3 Oracle Hospitality Applications 1 1 Solution Customers are advised to apply all relevant patches in this CSPU. Please refer to the May 2026 advisory for full details. Identifying affected systems A list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released. Get more information Oracle Critical Security Patch Update Advisory - May 2026 Oracle May 2026 Critical Security Patch Update Risk Matrices Oracle Advisory to CVE Map Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats. Learn more about Tenable One , the Exposure Management Platform for the modern attack surface.