Oracle released its January 2026 Critical Patch Update (CPU), delivering 337 security updates addressing 158 unique CVEs across roughly 30 product families; 27 of the updates were rated critical. Tenable’s analysis highlights broad exposure to remotely exploitable issues without authentication across multiple Oracle product lines, and notes CVE-2026-21945, a high-severity SSRF issue in Oracle Java, was discovered by Tenable Research.
A standout issue in the CPU is CVE-2026-21962 (CVSS 10.0), an easily exploitable, unauthenticated, network-reachable (HTTP) vulnerability in Oracle Fusion Middleware components Oracle HTTP Server and the WebLogic Server Proxy Plug-ins (Apache and IIS). Successful exploitation can enable unauthorized creation, deletion, or modification of critical data and potentially broader downstream impact due to a scope change (S:C), meaning compromise may significantly affect additional products; affected versions include 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0 (with the IIS proxy plug-in affected in 12.2.1.4.0 only).

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Oracle's January 2026 CPU addressed CVE-2026-21962, a CVSS 10.0 unauthenticated remote vulnerability affecting Oracle HTTP Server and the WebLogic Server Proxy Plug-in. Oracle said the flaw could allow attackers to compromise affected systems over HTTP, including creating, deleting, or modifying data, and urged customers to apply patches or restrict access to exposed HTTP ports.
Oracle's January 2026 CPU fixed CVE-2026-21945, a high-severity server-side request forgery vulnerability in Oracle Java SE discovered by Tenable Research. The flaw was remotely exploitable without authentication and could be abused to exhaust resources and cause denial of service.
On 2026-01-20, Oracle released its January 2026 Critical Patch Update, providing 337 security updates for 158 unique CVEs across 30 product families. The update included 27 critical-severity patches, with many vulnerabilities remotely exploitable without authentication.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcesecurityonline.info
Open sourcecvefeed.io
Open sourcetenable.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.