Summary:
Oracle released its June 2026 Critical Security Patch Update (CSPU) on June 16, addressing 243 unique vulnerabilities with 245 patches across 11 product families. This is the second monthly CSPU since Oracle introduced faster monthly releases in May 2026 alongside its quarterly updates. Nearly half of the patches (122) are rated critical, making this one of Oracle’s most significant patch releases of 2026. Oracle Fusion Middleware received the largest share with 106 patches, followed by Oracle E-Business Suite with 55. Four vulnerabilities carry the highest CVSS score of 10.0, allowing unauthenticated remote attackers to take full control over HTTP or T3 without user interaction. These include flaws in Fusion Middleware’s WebLogic Server and Oracle Coherence, as well as JD Edwards EnterpriseOne Tools. The update also includes the fix for the actively exploited PeopleSoft zero-day disclosed earlier in June. Organisations in the UAE and MENA region using Oracle enterprise platforms should apply this CSPU immediately, prioritising the critical Fusion Middleware and JD Edwards vulnerabilities.
Technical Description:
The four CVSS 10.0 vulnerabilities in this CSPU represent the highest possible risk rating and are the immediate priority. CVE-2026-35308 and CVE-2026-35307 both affect WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) in the Oracle Fusion Middleware product family. Both are unauthenticated, network-exploitable remote code execution flaws accessible over the T3 and IIOP protocols, requiring no privileges and no user interaction. CVE-2026-35301 affects Oracle Coherence (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0), also within Fusion Middleware, via an unauthenticated T3/IIOP exploit path that can lead to full system compromise. CVE-2026-46978 affects JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) and is exploitable over HTTP by an unauthenticated attacker to achieve complete confidentiality, integrity, and availability (CIA) impact.
Beyond the CVSS 10.0 flaws, the June 2026 CSPU addresses a broad range of critical and high-severity vulnerabilities across all major product families. Oracle Fusion Middleware carries 67 critical-severity vulnerabilities in total, with 53 exploitable over the network without authentication. Oracle E-Business Suite contains 16 critical vulnerabilities, including CVE-2026-46895, CVE-2026-46897, CVE-2026-46900, and CVE-2026-46901 in the Oracle Enterprise Command Center Framework (all CVSS 9.9, scope-changing, low-privilege network-exploitable vulnerabilities), and CVE-2026-46902 (CVSS 9.8, unauthenticated full takeover). Oracle JD Edwards received 18 critical patches, 12 of which are exploitable without authentication. Oracle PeopleSoft received 11 patches, including CVE-2026-35278 (CVSS 9.8) in PeopleSoft Enterprise PT PeopleTools Performance Monitor, a remote code execution flaw exploitable without authentication, in addition to the formally incorporated CVE-2026-35273 patch. Oracle MySQL received three critical patches, including CVE-2026-46850 (CVSS 9.9), CVE-2026-46860 (CVSS 9.8), and CVE-2026-46861 (CVSS 9.6). Oracle VM VirtualBox (version 7.2.8), Oracle Solaris 11.4, and Oracle Siebel CRM (versions 17.0–26.5) also received security patches in this cycle.
| CVE |
CVSS |
Vulnerability Type |
Affected Product |
Patch Version |
CVE-2026-35308
CVE-2026-35307
|
10.0 |
Unauthenticated Remote Code Execution via
T3/IIOP in Oracle WebLogic Server
(Oracle Fusion Middleware)
|
Oracle WebLogic Server
12.2.1.4.0,
14.1.1.0.0,
14.1.2.0.0,
15.1.1.0.0
|
Apply the June 2026 Critical Security Patch Update (CSPU)
for Oracle Fusion Middleware immediately.
Block T3/IIOP access from untrusted networks while patching.
|
| CVE-2026-35301 |
9.8 |
Missing Authentication Check leading to
Remote Code Execution
|
Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62;
Oracle PeopleSoft Enterprise Applications
|
Apply the June 2026 CSPU for Oracle Fusion Middleware.
Block T3/IIOP access from untrusted networks.
|
| CVE-2026-46978 |
9.8 |
Missing Authentication Check leading to
Remote Code Execution
|
Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62;
Oracle PeopleSoft Enterprise Applications
|
Apply the June 2026 CSPU for Oracle JD Edwards immediately.
|
CVE-2026-35273
CVE-2026-35278
|
9.8 |
Missing Authentication Check leading to
Remote Code Execution
|
Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62;
Oracle PeopleSoft Enterprise Applications
|
Apply the June 2026 CSPU for Oracle PeopleSoft.
The patch for CVE-2026-35273 is included in this update.
|
Exploitation Demonstration:
- CVE-2026-35308 and CVE-2026-35307 (both CVSS 10.0) in Oracle WebLogic Server (Fusion Middleware, versions 12.2.1.4.0–15.1.1.0.0): An unauthenticated attacker with network access via the T3 or IIOP protocol sends specially crafted deserialization payloads to the WebLogic listener port (default 7001), achieving remote code execution on the application server without credentials or user interaction, resulting in full confidentiality, integrity, and availability impact.
- CVE-2026-35301 (CVSS 10.0) in Oracle Coherence (Fusion Middleware, versions 12.2.1.4.0–15.1.1.0.0): An unauthenticated attacker exploits the same T3/IIOP deserialization attack path against the Oracle Coherence cluster port, achieving unauthenticated remote code execution and full system takeover, with the scope extending to the broader Fusion Middleware deployment.
- CVE-2026-46978 (CVSS 10.0) in JD Edwards EnterpriseOne Tools (versions 9.2.0.0–9.2.26.2): An unauthenticated attacker accesses the JD Edwards web server endpoint over HTTP and exploits a missing access-control or injection flaw to achieve complete compromise of the EnterpriseOne application server without prior authentication.
- CVE-2026-35278 (CVSS 9.8) in PeopleSoft Enterprise PT PeopleTools Performance Monitor (versions 8.61 and 8.62): An unauthenticated network attacker sends crafted requests to the exposed Performance Monitor component, achieving remote code execution on the PeopleSoft application server with full confidentiality, integrity, and availability impact.
- Oracle E-Business Suite Enterprise Command Center Framework (CVE-2026-46895, CVE-2026-46897, CVE-2026-46900, CVE-2026-46901 — all CVSS 9.9; CVE-2026-46902 — CVSS 9.8; affecting versions V15 and V16): Low-privileged or unauthenticated network attackers can achieve full takeover of the Enterprise Command Center Framework, with scope-change impact extending across the broader E-Business Suite deployment.
Ease of Exploitation:
The four CVSS 10.0 vulnerabilities in this CSPU pose the highest risk, as they are easily exploitable without authentication and can lead to complete system compromise. Oracle has warned that these flaws are likely to be targeted by automated attacks in the near future. WebLogic Server and Oracle Coherence are particularly high-risk due to their widespread deployment and long history of exploitation. With 53 of the 106 Fusion Middleware patches being remotely exploitable without authentication, the potential attack surface is substantial. Oracle has also reported ongoing successful attacks against customers who have not yet applied the relevant security updates.
Conclusion:
The June 2026 Oracle CSPU is one of the most critical Oracle patch releases of 2026. With four CVSS 10.0 vulnerabilities, 122 critical patches, and a product footprint spanning Fusion Middleware, WebLogic, Coherence, E-Business Suite, JD Edwards, PeopleSoft, MySQL, Solaris, Siebel CRM, and VirtualBox, the remediation scope is extensive. Oracle middleware and application environments that are internet-facing or accessible to low-privileged users face the highest immediate risk. The incorporation of the CVE-2026-35273 patch into this CSPU means that PeopleSoft customers who have not yet applied the earlier emergency patch must do so immediately. Oracle and MENA application-platform teams should coordinate emergency change-management activities to prioritise Fusion Middleware patches, followed by E-Business Suite, JD Edwards, PeopleSoft, and MySQL within the same remediation cycle.
Impact:
Successful exploitation of the CVSS 10.0 vulnerabilities in WebLogic Server, Oracle Coherence, and JD Edwards EnterpriseOne Tools can result in complete, unauthenticated takeover of the affected application server, leading to full confidentiality, integrity, and availability impact. For UAE and MENA organisations running Oracle Fusion Middleware as the backbone of enterprise applications, portals, SOA infrastructure, or ERP platforms, this represents a significant risk of server compromise, data exfiltration, lateral movement, and operational disruption. Exploitation of the E-Business Suite Enterprise Command Center vulnerabilities (CVSS 9.8–9.9, scope-changing) could compromise the broader Oracle E-Business Suite deployment. UAE PDPL breach-notification obligations and NCA ECC incident-reporting requirements apply to organisations experiencing confirmed intrusions through any of these vulnerabilities.
IOC and Context Details:
| Topics |
Details |
| Tactic Name |
Initial Access, Execution, Privilege Escalation,
Lateral Movement, Impact
|
| Technique Name |
Unauthenticated Remote Code Execution via
Deserialization and Injection across Oracle
Fusion Middleware, Oracle E-Business Suite,
Oracle JD Edwards, Oracle PeopleSoft,
Oracle MySQL, Oracle Solaris,
Oracle Siebel CRM (June 2026 CSPU)
|
| Sub Technique Name |
Send a deserialization gadget chain via the
T3/IIOP protocol to Oracle WebLogic or Oracle
Coherence listeners
(CVE-2026-35308 / CVE-2026-35307 / CVE-2026-35301,
CVSS 10.0) resulting in unauthenticated remote
code execution; alternatively send a crafted HTTP
request to Oracle JD Edwards EnterpriseOne
(CVE-2026-46978, CVSS 10.0) for full application
server compromise; or exploit Oracle E-Business
Suite Enterprise Command Center
(CVE-2026-46895 / CVE-2026-46902,
CVSS 9.8–9.9) enabling scope-changing
remote code execution across the EBS deployment.
|
| Attack Type |
Vulnerability |
| Targeted Applications |
Oracle WebLogic Server,
Oracle Coherence,
Oracle E-Business Suite,
Oracle JD Edwards EnterpriseOne,
Oracle PeopleSoft Enterprise PeopleTools,
Oracle MySQL Server,
Oracle Solaris 11.4,
Oracle Siebel CRM,
Oracle VM VirtualBox 7.2.8,
Oracle WebCenter Sites,
Oracle WebCenter Portal,
Oracle WebCenter Content,
Oracle Access Manager,
Oracle Data Integrator,
Oracle Enterprise Manager,
Oracle Agile PLM.
|
| Region Impacted |
Global |
| Industry Impacted |
Enterprise and Education sectors,
particularly organizations running
Oracle Fusion Middleware,
Oracle E-Business Suite,
Oracle PeopleSoft,
Oracle JD Edwards,
Oracle WebLogic,
or other Oracle enterprise platforms.
|
| IOC's |
N/A |
| CVE |
CVE-2026-35308
CVE-2026-35307
|
Recommended Actions:
- Apply the June 2026 CSPU patches for Oracle Fusion Middleware (WebLogic Server and Coherence) immediately as the highest priority.
- Apply the June 2026 CSPU patches for Oracle JD Edwards EnterpriseOne (CVE-2026-46978, CVSS 10.0) as the second priority.
- Apply the June 2026 CSPU for Oracle E-Business Suite, addressing the critical Enterprise Command Center Framework vulnerabilities.
- Apply the June 2026 CSPU for Oracle PeopleSoft Enterprise, including both CVE-2026-35273 and CVE-2026-35278.
- Apply the June 2026 CSPU for Oracle MySQL, Oracle Solaris 11.4, Oracle VM VirtualBox 7.2.8, and Oracle Siebel CRM within the emergency patching window.
- Restrict WebLogic Server T3 and IIOP listener ports from untrusted networks.
- Review Oracle Enterprise Manager, Oracle Access Manager, Oracle Identity Manager, Oracle Data Integrator, and Oracle WebCenter deployments for applicable June 2026 CSPU updates.
- Integrate Oracle application logs with your SIEM and configure alerts for unusual T3/IIOP activity, unauthenticated access attempts, and unexpected administrative actions.
Reference:
https://www.oracle.com/security-alerts/cspujun2026.html
https://www.oracle.com/security-alerts/cspujun2026verbose.html
https://blog.qualys.com/vulnerabilities-threat-research/2026/06/18/oracle-critical-patch-update-june-2026-security-update-review
https://www.tenable.com/blog/oracle-june-2026-critical-security-patch-update-addresses-243-cves-cve-2026-35273