The flaw makes machines vulnerable to everything from virus-infected websites to "ransomeware," which wrests control of a computer from its owner until they pay the computer criminals, The San Jose Mercury News reported Friday.
Oracle, the company behind Java, said it would issue a fix Tuesday with "86 new security vulnerability fixes."
It added that "due to the threat posed by a successful attack, Oracle strongly recommends" customers update Java on their computers with the patch as soon as it becomes available.
Java, which allows software programs to run on computers regardless of their operating system and is incorporated in many websites, is widely utilized globally.
"Reports indicate this vulnerability is being actively exploited" by hackers, the Department of Homeland Security said.