Oracle releases critical security patch to address 337 vulnerabilities across all product families

Oracle has released its January 2026 Critical Patch Update (CPU), providing security patches for 337 vulnerabilities across multiple product families.

The advisory, published via Oracle’s Security Alerts portal, emphasizes the cumulative nature of these patches and strongly recommends immediate deployment across all enterprise environments to mitigate active exploitation attempts.

Critical vulnerability landscape

The January 2026 CPU addresses vulnerabilities affecting both proprietary Oracle code and third-party components integrated into Oracle products.

Among the most serious disclosures is CVE-2026-21962, which affects Oracle HTTP server and the WebLogic Server proxy plugin.

This vulnerability has a CVSS 3.1 score of 10.0, the highest severity level, as it is a network-based attack vector that requires low privileges and no user interaction to exploit.

The bug affects proxy plugin implementations in Apache HTTP Server and IIS environments,…