By Ionut Arghire
Publication Date: 2026-01-21 10:46:00
Oracle has released 337 new security patches for over 30 products as part of its first Critical Patch Update (CPU) for 2026.
There appear to be about 230 unique CVEs at Oracle January 2026 CPU advisory.
More than two dozen of the new fixes address critical-severity vulnerabilities, and over 235 patches address vulnerabilities that can be exploited remotely without authentication.
About half a dozen patches address CVE-2025-66516 (CVSS score of 10/10), a critical issue Defect in Apache Tika This could lead to XML External Entity (XXE) injection attacks.
The vulnerability affects three Apache Tika modules and can be exploited by inserting crafted XFA files into PDF documents.
Oracle products that have received patches for the issue include Commerce, Communications, Construction and Engineering, Fusion Middleware and PeopleSoft.
Once again, Oracle Communications received the largest number of security fixes with 56. Of which 34…



