Ravie LakshmananJan 21, 2026Vulnerability / Community Safety
Zoom and GitLab have launched safety updates to resolve plenty of safety vulnerabilities that might end in denial-of-service (DoS) and distant code execution.
Essentially the most extreme of the lot is a vital safety flaw impacting Zoom Node Multimedia Routers (MMRs) that might allow a gathering participant to conduct distant code execution assaults. The vulnerability, tracked as CVE-2026-22844 and found internally by its Offensive Safety group, carries a CVSS rating of 9.9 out of 10.0.
“A command injection vulnerability in Zoom Node Multimedia Routers (MMRs) earlier than model 5.2.1716.0 might enable a gathering participant to conduct distant code execution of the MMR by way of community entry,” the corporate famous in a Tuesday alert.
Zoom is recommending that clients utilizing Zoom Node Conferences, Hybrid, or Assembly Connector deployments replace to the newest obtainable MMR model to safeguard in opposition to any potential risk.
There is no such thing as a proof that the safety flaw has been exploited within the wild. The vulnerability impacts the next variations –
Zoom Node Conferences Hybrid (ZMH) MMR module variations prior to five.2.1716.0
Zoom Node Assembly Connector (MC) MMR module variations prior to five.2.1716.0
GitLab Releases Patches for Extreme Flaws
The disclosure comes as GitLab launched fixes for a number of high-severity flaws affecting its Group Version (CE) and Enterprise Version (EE) that might end in DoS and a bypass of two-factor authentication (2FA) protections. The shortcomings are listed beneath –
CVE-2025-13927 (CVSS rating: 7.5) – A vulnerability that might enable an unauthenticated consumer to create a DoS situation by sending crafted requests with malformed authentication knowledge (Impacts all variations from 11.9 earlier than 18.6.4, 18.7 earlier than 18.7.2, and 18.8 earlier than 18.8.2)
CVE-2025-13928 (CVSS rating: 7.5) – An incorrect authorization vulnerability within the Releases API that might enable an unauthenticated consumer to trigger a DoS situation (Impacts all variations from 17.7 earlier than 18.6.4, 18.7 earlier than 18.7.2, and 18.8 earlier than 18.8.2)
CVE-2026-0723 (CVSS rating: 7.4) – A vulnerability that might enable a person with present information of a sufferer’s credential ID to bypass 2FA by submitting cast gadget responses (Impacts all variations from 18.6 earlier than 18.6.4, 18.7 earlier than 18.7.2, and 18.8 earlier than 18.8.2 )
Additionally remediated by GitLab are two different medium-severity bugs that might additionally set off a DoS situation (CVE-2025-13335, CVSS rating: 6.5, and CVE-2026-1102, CVSS rating: 5.3) by configuring malformed Wiki paperwork that bypass cycle detection and sending repeated malformed SSH authentication requests, respectively.
