Zoom and GitLab have released security updates to resolve several security vulnerabilities that could result in denial of service (DoS) and remote code execution.
The most serious of these is a serious security flaw affecting Zoom node multimedia routers (MMRs) that could allow a meeting participant to conduct remote code execution attacks. Vulnerability, tracked as CVE-2026-22844 And searched internally by its aggressive security team, holds a CVSS score of 9.9 out of 10.0.
“A command injection vulnerability in Zoom Node Multimedia Routers (MMR) before version 5.2.1716.0 could allow a meeting participant to execute remote code via network access to the MMR,” the company said in a Tuesday alert.
Zoom is recommending that customers using Zoom Node Meetings, hybrid, or Meeting Connector deployments update to the latest available MMR version to protect against any potential threats.
There is no evidence that the security flaw has been exploited in the wild. The vulnerability affects the following versions –
- Zoom Node Meeting Hybrid (ZMH) MMR module versions before 5.2.1716.0
- Zoom Node Meeting Connector (MC) MMR module before version 5.2.1716.0
GitLab releases patch for critical flaw
The disclosure comes as GitLab released fixes for several high-severity flaws affecting its Community Edition (CE) and Enterprise Edition (EE) that could result in DoS and two-factor authentication (2FA) protections being bypassed. The drawbacks are listed below –
- CVE-2025-13927 (CVSS Score: 7.5) – A vulnerability that could allow an unauthenticated user to create a DoS condition by sending crafted requests with malformed authentication data (affects all versions of 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2)
- CVE-2025-13928 (CVSS Score: 7.5) – A false authorization vulnerability in the release API that could allow an unauthenticated user to cause a DoS condition (affects all versions of 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2)
- CVE-2026-0723 (CVSS Score: 7.4) – A vulnerability that could allow someone with existing knowledge of the victim’s credential ID to bypass 2FA by submitting forged device responses (affects all versions of 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2)
GitLab has also addressed two other medium-severity bugs that could trigger a DoS condition (CVE-2025-13335, CVSS score: 6.5, and CVE-2026-1102, CVSS score: 5.3) by configuring malformed wiki documents to bypass cycle detection and repeated malformed SSH authentication requests, respectively.
