Zoom and GitLab have released security updates that resolve a number of security vulnerabilities that could lead to a denial of service (DoS) or remote code execution.
The most serious issue is a critical security flaw affecting the Zoom Node Multimedia Router (MMR) that could allow meeting participants to conduct remote code execution attacks. The vulnerability, tracked as CVE-2026-22844, was discovered internally by the Attack Security team and had a CVSS score of 9.9 out of 10.0.
“A command injection vulnerability in the Zoom Node Multimedia Router (MMR) prior to version 5.2.1716.0 could allow a meeting participant to perform remote code execution of the MMR via network access,” the company noted in a Tuesday alert.
Zoom recommends that customers using Zoom Node Meetings, Hybrid, or Meeting Connector deployments update to the latest available MMR version to protect against potential threats.
There is no evidence that this security flaw has been exploited in the wild. This vulnerability affects the following versions:
Zoom Node Meetings Hybrid (ZMH) MMR module versions earlier than 5.2.1716.0 Zoom Node Meeting Connector (MC) MMR module versions earlier than 5.2.1716.0
GitLab releases patch for critical flaw
This disclosure comes as GitLab releases fixes for multiple high-severity flaws affecting Community Edition (CE) and Enterprise Edition (EE) that could lead to DoS or bypassing two-factor authentication (2FA) protections. The disadvantages are:
CVE-2025-13927 (CVSS score: 7.5) – Vulnerability that allows an unauthenticated user to cause a DoS condition by sending a crafted request that contains malformed authentication data in 18.6.4 before 11.9, 18.7 before 18.7.2, and 18.8.2 before 18.8. CVE-2025-13928 (CVSS score: 7.5) – An incorrect authentication vulnerability in the release API allows an unauthenticated user to cause a DoS condition (17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2) CVE-2026-0723 (CVSS score: 7.4) – Vulnerability that allows an individual with existing knowledge of the victim’s credential identity to bypass 2FA by sending a forged device response (18.6.4 before 18.6, 18.7 before 18.7.2, and 18.8.2 before (affects all versions of 18.8)
GitLab also fixed two other medium-severity bugs that could cause a DoS condition (CVE-2025-13335, CVSS score: 6.5, and CVE-2026-1102, CVSS score: 5.3) by setting a malformed Wiki document that bypasses cycle detection and repeatedly sending malformed SSH authentication requests.
Source link
