245 Patches in Oracle's Second Monthly Cycle
Oracle has released its June 2026 Critical Security Patch Update, delivering 245 new security fixes across its sprawling product portfolio. This is the second installment since Oracle moved from its long-running quarterly cadence to monthly releases, a shift that reflects how quickly attackers now weaponize disclosed flaws and how much pressure enterprises face to keep pace. Analysts at Qualys, who published their review on June 18, noted that the update spans Communications, E-Business Suite, Enterprise Manager, Fusion Middleware, JD Edwards, MySQL, PeopleSoft, Siebel CRM, Supply Chain, Systems, and Virtualization. Few enterprise stacks will be untouched by at least one of these advisories.
The headline numbers convey the scale of the exposure. Roughly 120 of the vulnerabilities carry a critical severity rating, and Oracle states that around 100 of the flaws can be exploited remotely without any authentication. That combination, critical impact plus no credentials required, is the worst-case profile for any defender, because it lets an attacker reach a vulnerable service directly from the network and run code without a foothold. For organizations running Oracle middleware and databases at the core of their operations, this is not a routine patch cycle to defer to a quiet weekend. It is a material change in exposure that demands prompt triage.
Fusion Middleware Dominates the Risk
Oracle Fusion Middleware absorbed the single largest share of this update, with 106 patches, about 44 percent of the entire release. According to Qualys, 53 of those middleware flaws are remotely exploitable without authentication, and 67 are rated critical. That concentration matters because Fusion Middleware underpins identity, integration, and application infrastructure for a vast number of large enterprises. A vulnerable WebLogic or related component sitting at the heart of an application tier is exactly the kind of target that ransomware crews and access brokers prize, since it offers both reach and privilege inside a network.
The middleware tier is also notoriously hard to patch quickly. These components are deeply embedded, often integrated with custom applications, and subject to change-control processes that slow remediation. Attackers understand this lag and routinely race to exploit middleware flaws before enterprises can schedule downtime. We would urge security teams to treat the Fusion Middleware patches as the top priority within this release, to identify internet-facing instances first, and to apply compensating network controls where an immediate patch is not operationally feasible. The volume of unauthenticated remote flaws here leaves little room for a leisurely rollout.
Critical MySQL Flaws Reach CVSS 9.9
Among the most severe items in the update are three Oracle MySQL vulnerabilities, CVE-2026-46850, CVE-2026-46860, and CVE-2026-46861, carrying CVSS scores of 9.9, 9.8, and 9.6 respectively. Successful exploitation of each can result in remote code execution, the most damaging outcome a database vulnerability can produce. A 9.9 rating is about as close to maximum as a real-world flaw gets, signaling minimal attacker effort for maximum impact. MySQL received eight new patches in total, four of which are remotely exploitable without authentication.
Databases are where the crown jewels live, so RCE-grade flaws in MySQL warrant urgent attention even though no in-the-wild exploitation has been reported for these specific CVEs yet. The absence of active exploitation is a window, not a reprieve. Once technical details circulate, the gap between disclosure and exploitation for high-CVSS database flaws has historically been short. Enterprises running MySQL, particularly any instance reachable from untrusted networks, should prioritize these fixes and verify that database services are not needlessly exposed. The cost of a compromised production database dwarfs the cost of an expedited patch window.
PeopleSoft Under Active Attack
Not every flaw in this cycle is theoretical. The update addresses a PeopleSoft PeopleTools vulnerability, tracked by Oracle as CVE-2026-35273, that is already being exploited by the ShinyHunters cybercrime group. Reporting indicates the gang has used the flaw against at least 100 organizations, with a particular concentration in the education sector. Oracle pushed an emergency security update to close the critical hole, and its inclusion in this release reflects how exploitation is now driving the company's patch timing rather than the calendar alone.
ShinyHunters has built a reputation for high-volume data theft and extortion, and a PeopleSoft foothold gives them access to exactly the kind of personal, financial, and HR data that fuels their operation. The active-exploitation status elevates this from a patch to an incident-response question: organizations running affected PeopleTools versions must assume they may already have been targeted, not merely that they could be. We see the PeopleSoft situation as the clearest illustration of why Oracle abandoned its quarterly rhythm. When threat actors are working through a hundred victims, a three-month wait for a scheduled fix is indefensible.
The Monthly Cadence Cuts Both Ways
Oracle's move to monthly updates is a sensible response to a faster threat environment, but it imposes a real operational burden. Enterprises that built their patch governance around four predictable quarterly events now face twelve, each capable of carrying hundreds of fixes. Oracle itself reminds customers in each advisory that it continues to receive reports of attempts to exploit vulnerabilities for which patches have already been released, a pointed acknowledgment that the gap between availability and deployment is where most real-world compromises occur. The faster Oracle ships, the faster customers must consume.
For CIOs and security leaders, the implication is that patch management can no longer be a periodic project. It must be a continuous, well-resourced program with the automation and testing pipelines to absorb monthly waves without overwhelming staff. The organizations that benefit most from a monthly cadence are those that can actually act on it; those that cannot will simply accumulate risk twelve times a year instead of four. This release, with its heavy load of unauthenticated remote-code-execution flaws, is a stress test of whether an enterprise's remediation machinery can keep up with the new tempo.
Triage Guidance for This Cycle
Given the breadth of the June update, a blanket patch-everything mandate is unrealistic for most enterprises in the short term, so prioritization is essential. We would sequence the work by exposure and exploitability: first, the actively exploited PeopleSoft PeopleTools flaw for any affected deployment; next, internet-facing Fusion Middleware given its concentration of unauthenticated remote flaws; then the critical MySQL RCE vulnerabilities on any reachable database. Asset inventory is the prerequisite for all of this, because a patch program is only as good as an organization's knowledge of what it actually runs.
Beyond patching, defenders should lean on compensating controls while remediation proceeds. Network segmentation to remove direct internet exposure, web application firewalls in front of middleware, and tightened access controls on database services all buy time against opportunistic scanning. Monitoring for the indicators tied to ShinyHunters activity is prudent for PeopleSoft operators specifically. The overarching message from this 245-patch release is consistency under pressure: the enterprises that fare best are not those with the fewest Oracle products, but those with the discipline to triage, test, and deploy at the speed the threat environment now demands.
