Zoom and GitLab have launched security updates to resolve plenty of security vulnerabilities that would end in denial-of-service (DoS) and distant code execution.
Probably the most extreme of the lot is a crucial security flaw impacting Zoom Node Multimedia Routers (MMRs) that would allow a gathering participant to conduct distant code execution assaults. The vulnerability, tracked as CVE-2026-22844 and found internally by its Offensive Safety group, carries a CVSS rating of 9.9 out of 10.0.
“A command injection vulnerability in Zoom Node Multimedia Routers (MMRs) earlier than model 5.2.1716.0 could permit a gathering participant to conduct distant code execution of the MMR by way of community entry,” the corporate famous in a Tuesday alert.
Zoom is recommending that prospects utilizing Zoom Node Conferences, Hybrid, or Assembly Connector deployments replace to the newest out there MMR model to safeguard towards any potential risk.
There isn’t any proof that the security flaw has been exploited within the wild. The vulnerability impacts the next variations –
- Zoom Node Conferences Hybrid (ZMH) MMR module variations prior to five.2.1716.0
- Zoom Node Assembly Connector (MC) MMR module variations prior to five.2.1716.0
GitLab Releases Patches for Extreme Flaws
The disclosure comes as GitLab launched fixes for a number of high-severity flaws affecting its Group Version (CE) and Enterprise Version (EE) that would end in DoS and a bypass of two-factor authentication (2FA) protections. The shortcomings are listed under –
- CVE-2025-13927 (CVSS rating: 7.5) – A vulnerability that would permit an unauthenticated person to create a DoS situation by sending crafted requests with malformed authentication knowledge (Impacts all variations from 11.9 earlier than 18.6.4, 18.7 earlier than 18.7.2, and 18.8 earlier than 18.8.2)
- CVE-2025-13928 (CVSS rating: 7.5) – An incorrect authorization vulnerability within the Releases API that would permit an unauthenticated person to trigger a DoS situation (Impacts all variations from 17.7 earlier than 18.6.4, 18.7 earlier than 18.7.2, and 18.8 earlier than 18.8.2)
- CVE-2026-0723 (CVSS rating: 7.4) – A vulnerability that would permit a person with current data of a sufferer’s credential ID to bypass 2FA by submitting cast system responses (Impacts all variations from 18.6 earlier than 18.6.4, 18.7 earlier than 18.7.2, and 18.8 earlier than 18.8.2 )
Additionally remediated by GitLab are two different medium-severity bugs that would additionally set off a DoS situation (CVE-2025-13335, CVSS rating: 6.5, and CVE-2026-1102, CVSS rating: 5.3) by configuring malformed Wiki paperwork that bypass cycle detection and sending repeated malformed SSH authentication requests, respectively.
