Summary and analysis of the June Critical Security Patch Update (CSPU)
Released Tuesday, 16 June 2026
–URGENT ACTION RECOMMENDED–
For Waratek customers and prospects
Key findings — Oracle CSPU June 2026
Advisory scope: 257 CVE-product matrix entries across 66 products in 11 product families (251 unique CVEs; same CVE can appear in multiple matrices).
| Severity | Count | No Auth Required |
| Critical (CVSS ≥ 9.0) | 134 | 104 |
| High (7.0–8.9) | 104 | — |
| Medium (4.0–6.9) | 15 | — |
| Low (< 4.0) | 4 | — |
Top risk products (Critical CVEs)
| Product | Family | Critical | High | Med | No Auth Req |
| Oracle WebCenter Content | Fusion Middleware | 16 | 13 | 1 | 14 |
| Oracle Enterprise Manager Base Platform | Enterprise Manager | 13 | 6 | — | 9 |
| JD Edwards EnterpriseOne Tools | JD Edwards | 13 | 1 | — | 11 |
| Oracle WebCenter Enterprise Capture | Fusion Middleware | 10 | — | — | 2 |
| Oracle WebCenter Portal | Fusion Middleware | 10 | — | — | 3 |
| Oracle WebCenter Sites | Fusion Middleware | 8 | 3 | — | 8 |
| Oracle Enterprise Command Center Framework | E-Business Suite | 7 | 1 | — | 2 |
| Oracle Coherence | Fusion Middleware | 7 | — | — | 7 |
| Oracle iSupport | E-Business Suite | 3 | — | — | — |
Family-level highlights
Oracle Fusion Middleware is the dominant risk surface consisting of 69 Critical CVEs across 14 products, 49 of them remotely exploitable without authentication. The WebCenter stack alone (Content, Portal, Sites, Enterprise Capture, Imaging) accounts for 47 Critical vulnerabilities. Oracle Coherence stands out with 7 Critical CVEs all scoring 9.3–10.0 and all RNoAuth.
JD Edwards carries 18 Critical entries with 12 RNoAuth, concentrated almost entirely in EnterpriseOne Tools (13 Critical, 9 of them at CVSS 9.8).
Oracle Enterprise Manager Base Platform has 19 CVEs total (13 Critical), including 4 Apache Log4j entries (CVE-2026-34477/8/9/0) whose scores were inferred from impact language (see footnote below).
VirtualBox is the only product with no Critical CVEs; all 10 CVEs are High/Medium/Low, none remotely exploitable without authentication.
Special Comments on CVE-2026-35273 in PeopleSoft
CVE-2026-35273 is a critical unauthenticated vulnerability in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, with a CVSS score of 9.8.
Public reports indicate that the vulnerability enables attackers to perform SSRF attacks that can be chained into Remote Code Execution, unauthorized data exfiltration, deployment of remote management agents for persistent access, and lateral movement across internal networks through credential spraying and SMB-based NetNTLM hash harvesting.
Based on currently available public information, Waratek recommends a defense-in-depth security policy to mitigate exploitation of this issue. Waratek customers can apply the recommended security controls that address different elements of the attack chain, providing multiple places where the attack can be intercepted and blocked. As more information on this CVE becomes available, this list will be updated, as required.
If you require assistance enabling the above configurations, please contact support@waratek.com and our Customer Success team can assist.
For More Information
Waratek customers should contact customersuccess@waratek.com for guidance on which RASP rules already cover CVEs in the June 2026 CSPU.
Prospects evaluating Waratek can contact sales@waratek.com for a protection assessment.
Source advisory: Oracle Critical Security Patch Update Advisory – June 2026
About Waratek
Waratek offers the only compiler-based, runtime application tools that find vulnerabilities in the pre-production development pipeline, block attacks in production, and virtually patch flaws with no downtime or source code changes. Waratek IAST watches code execute to identify security flaws with absolute certainty, eliminating the “guesswork” and alert fatigue associated with traditional scanners. Waratek RASP intercepts and terminates unsafe operations at the JVM level, stopping attempts to change app behavior in attacks aimed at known and Zero Day vulnerabilities. Waratek is a trusted partner for organizations in global financial services, hospitality, healthcare, technology and other industries. Waratek has offices in Dublin, Ireland and Chicago, Illinois.
