Alerts

Oracle January 2026 Critical Patch Update Fixes 336 Vulnerabilities Including CVSS 10.0 Fusion Middleware Flaw

Zero Day Wire

1 min read
Share
Oracle January 2026 Critical Patch Update Fixes 336 Vulnerabilities Including CVSS 10.0 Fusion Middleware Flaw

Oracle has released its January 2026 Critical Patch Update (CPU), addressing 336 new security vulnerabilities across its enterprise software portfolio. Among the most severe is a maximum-severity flaw in Oracle Fusion Middleware that could allow attackers to seize complete control of affected servers without authentication.

The Critical Flaw

The vulnerability, tracked as CVE-2026-21962, carries a CVSS score of 10.0—the highest possible severity rating. It affects the Oracle HTTP Server and WebLogic Server Proxy Plug-in, critical components used to bridge web traffic to backend applications in enterprise environments.

The flaw is remotely exploitable without authentication, meaning attackers can compromise vulnerable systems over the network without requiring any credentials. Affected versions include Oracle HTTP Server 12.2.1.4.0 and 14.1.2.0.0, as well as WebLogic Server Proxy Plug-in versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0.

Additional CVSS 10.0 Vulnerabilities

Oracle Fusion Middleware isn't the only product family with maximum-severity flaws. The January CPU also addresses CVSS 10.0 vulnerabilities in:

  • Oracle Commerce (Guided Search and Platform, version 11.4.0)
  • Oracle Communications (multiple products)
  • Oracle PeopleSoft (Enterprise PeopleTools versions 8.60, 8.61, 8.62)

Scope of the Update

The 336 patches span virtually every major Oracle product line:

Product FamilyNew PatchesMax CVSS
Oracle Communications5610.0
Oracle Fusion Middleware5210.0
Oracle Financial Services389.1
Oracle MySQL209.8
Oracle Siebel CRM149.8
Oracle Retail Applications148.8
Oracle Virtualization148.2
Oracle PeopleSoft1210.0
Oracle Hyperion129.1
Oracle Java SE117.5

Of the 52 Fusion Middleware vulnerabilities, 47 are remotely exploitable without authentication. Oracle Communications fares similarly, with 34 of its 56 flaws exploitable without credentials.

Recommendations

Oracle strongly recommends applying patches immediately. Organizations running Oracle HTTP Server, WebLogic Server, or any affected Fusion Middleware components should prioritize patching given the unauthenticated remote exploitation vector.

Administrators should review the full advisory for product-specific patch availability and consult Oracle's support documentation for deployment guidance.

Read more

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious version

By Zero Day Wire
Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version

By Zero Day Wire