Zoom, GitLab Release Critical Security Patches for Remote Code Execution Vulnerabilities

New York: Zoom and GitLab issued urgent security updates on Wednesday to address critical vulnerabilities that could allow remote code execution and denial-of-service attacks, affecting millions of enterprise users worldwide.

The most severe flaw, ‘CVE-2026-22844 in Zoom Node Multimedia Routers, earned a severity score of 9.9 out of 10’, enabling any meeting participant to potentially execute remote code on enterprise network infrastructure, said a security analysis published by TechRepublic.

The vulnerability affects Zoom Node Multimedia Routers before version 5.2.1716.0, creating what security researchers described as a ‘complete disaster’ scenario for enterprise security. The command injection flaw essentially grants meeting participants unauthorized administrative access to networking equipment.

GitLab simultaneously addressed multiple critical vulnerabilities spanning remote code execution, denial-of-service, and two-factor authentication bypass flaws. The standout threat, CVE-2025-13927, allows “completely unauthenticated attackers to crash GitLab instances by sending specially crafted requests with malformed authentication data,” according to the security bulletin.

The GitLab vulnerabilities affect Community and Enterprise Editions, with attack vectors ranging from resource exhaustion in event collection to JSON validation exploits in GraphQL requests. CVSS scores range from 6.5 to 8.5 across different vulnerability types, representing what researchers characterized as systemic security challenges across GitLab’s platform architecture.

Both platforms serve as backbone infrastructure for remote work and software development. Organizations are “heavily dependent on these tools for daily operations,” making the “window for exploitation” massive, security analysts warned.

GitLab’s patches address stored cross-site scripting flaws in GitLab Flavored Markdown, missing authorization bugs in the Duo Workflows API, and denial-of-service vulnerabilities in import functionality. The company deployed updated versions 18.7.1, 18.6.3, and 18.5.5 to GitLab.com on January 7, 2026, urging self-hosted customers to upgrade immediately.

Zoom released patches addressing the critical networking router vulnerability alongside fixes for denial-of-service flaws. Both companies credited security researchers and internal teams for discovering the vulnerabilities through bug bounty programs.