All news in category “Security Advisory and Patch Watch”

🔒 Researchers report an authentication bypass in SmarterTools SmarterMail (tracked as WT-2026-0001) being actively exploited days after a Jan 15, 2026 patch (Build 9511). An unauthenticated HTTP request to the /api/v1/auth/force-reset-password endpoint can set an IsSysAdmin flag and reset any administrator password if the attacker knows the admin username. The same privileged path enables SYSTEM-level remote code execution via the product's Volume Mount Command feature. watchTowr Labs went public after community reports showed the endpoint was used to change an admin password on Jan 17, indicating rapid patch reversal by attackers.

🔒 Cisco released patches for a critical, actively exploited vulnerability tracked as CVE-2026-20045 that affects multiple Unified Communications products and Webex Calling Dedicated Instance. The flaw (CVSS 8.2) allows unauthenticated remote attackers to execute arbitrary commands via crafted HTTP requests against the web-based management interface. Cisco urged customers to upgrade to fixed releases or apply published patch files; there are no workarounds. The U.S. CISA has added the issue to its KEV catalog with a remediation deadline of February 11, 2026.

🔒 A critical two-factor authentication bypass (CVE-2026-0723) in GitLab Community and Enterprise editions allows an attacker who knows a user’s credentials to submit forged device responses and bypass MFA. GitLab released patches in versions 18.8.2, 18.7.2 and 18.6.4 and strongly recommends that all self-managed instances upgrade immediately. Additional fixes address several denial-of-service and authorization flaws; GitLab.com and Dedicated tenants are already protected.

🔒 Chainlit, a widely used open-source framework for building conversational AI, contained two high-severity flaws that enable arbitrary file reads and server-side request forgery without user interaction. Zafran Labs labeled the issues CVE-2026-22218 and CVE-2026-22219, which together can expose API keys, cloud credentials, source code, and internal services. The defects were fixed in v2.9.4; organizations should upgrade to 2.9.4 or later immediately and inspect for potential data exfiltration.

🔒 Cisco released patches to address a critical remote code execution vulnerability, CVE-2026-20045, actively exploited against Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The flaw stems from improper validation of user-supplied input in HTTP requests to the web management interface and can allow an attacker to gain user access and escalate to root. Administrators should apply the version-specific updates or provided .cop patch files immediately, as Cisco reports no available workarounds.

🛡️ Oracle's January quarterly update delivers 337 security fixes across its product portfolio, including 27 rated critical. The vendor reports no known in-the-wild exploitation at release, but urges priority attention to the 13 CVEs mapped to critical severity. A substantial share of patches address third-party and open-source components such as Apache Tika, creating cross-product CVE overlap and assessment complexity.

🚨Fortinet customers report attackers bypassing a previously patched FortiGate authentication flaw (CVE-2025-59718) to create admin accounts on devices running FortiOS 7.4.9 and 7.4.10. Fortinet reportedly plans releases of FortiOS 7.4.11, 7.6.6 and 8.0.0 to fully remediate the issue. Until those updates are available, admins are advised to disable FortiCloud SSO using the GUI or the CLI mitigation steps Fortinet published. Shadowserver found over 25,000 devices with FortiCloud SSO enabled in mid-December, and CISA has listed the vulnerability as actively exploited and ordered expedited patching.

🔒 Zoom and GitLab released security updates to address multiple vulnerabilities that could enable denial-of-service, remote code execution, and a two-factor authentication bypass. The most severe is a critical command injection in Zoom Node Multimedia Routers (CVE-2026-22844, CVSS 9.9) that may allow remote code execution; Zoom reports no evidence of active exploitation. GitLab patched several high-severity DoS and 2FA-bypass issues across CE and EE releases. Administrators should apply the provided patches, upgrade affected modules, and review exposure to untrusted networks immediately.

🔧 Microsoft provided a temporary workaround for users whose Outlook desktop client freezes after installing this month's Windows security updates. The bug affects POP accounts and configurations that store PST files on cloud-backed storage such as OneDrive or Dropbox, and has been reported on Windows 11 25H2 and 24H2, Windows 10, and multiple Windows Server releases. Microsoft recommends accessing mail via webmail, moving PST files out of OneDrive, or uninstalling the KB5074109/KB5073724 updates via Settings > Windows Update > Update history > Uninstall updates, while warning that removing security updates increases exposure to threats.

🔒 GitLab has patched a high-severity two-factor authentication bypass (CVE-2026-0723) that could allow attackers who know a target's account ID to submit forged device responses and bypass 2FA. The release also addresses two high-severity denial-of-service flaws (CVE-2025-13927, CVE-2025-13928) and two medium-severity DoS issues affecting Wiki rendering and SSH authentication. Administrators should upgrade to 18.8.2, 18.7.2, or 18.6.4 immediately; GitLab.com is already patched.

🔔 CISA has added CVE-2026-20045, a code injection vulnerability affecting Cisco Unified Communications products, to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The agency warns that code injection is a frequent attack vector and poses significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by the required deadlines. CISA strongly urges all organizations to prioritize timely remediation as part of vulnerability management.

🔒 A newly disclosed flaw called WhisperPair (CVE-2025-36911) lets an attacker pair with many Bluetooth headsets by abusing Google Fast Pair requests, even when accessories are not in pairing mode. In roughly 10 seconds and within about 14 meters, a hostile device can assume owner-level privileges, enabling microphone access, audio control, or remote location tracking via Google Find Hub. iPhone and other non‑Android users face elevated risk because an attacker can register the headset to their Google account if it has never been paired to Android. Mitigations include installing vendor firmware updates, performing a factory reset, or using a trusted Android device to claim ownership if no patch is available.

🌐 The open-source Global Cybersecurity Vulnerability Enumeration (GCVE) has launched as a community-driven, European-headquartered alternative to the US-led CVE program. Hosted by CIRCL at db.gcve.eu, the initiative aggregates vulnerability data from more than 25 public sources and empowers GCVE Numbering Authorities (GNAs) to allocate identifiers independently. Backers say the model reduces single points of failure, strengthens digital sovereignty by combining open-source software with European-controlled infrastructure, and—if kept compatible with existing conventions—could speed and diversify vulnerability disclosure without causing tracking misalignment.

🔗 CVSS remains a useful baseline for rating technical severity, but the article argues it often misses operational context and relational risk. It introduces the unified linkage model (ULM), which evaluates vulnerabilities by how they can propagate through adjacency, inheritance and trust relationships. By mapping connections—shared libraries, CI/CD pipelines, identity systems—organizations can prioritize based on reach and downstream influence rather than score alone.

⚠️ Chainlit, a widely used open-source framework for building conversational AI chatbots, contained high-severity vulnerabilities that can expose arbitrary files and permit server-side request forgery, enabling data theft and lateral movement within compromised environments. Zafran Security identified two primary issues: CVE-2026-22218 (arbitrary file read, CVSS 7.1) and CVE-2026-22219 (SSRF with SQLAlchemy, CVSS 8.3). Both were responsibly disclosed on November 23, 2025 and patched in Chainlit 2.9.4 on December 24, 2025. Administrators should upgrade, audit deployments for misuse, and rotate any potentially exposed credentials.

🛡️ The CERT/CC has warned of a code-injection vulnerability in the binary-parser npm library (CVE-2026-1245) that can permit execution of arbitrary JavaScript when parser source is dynamically generated at runtime. The flaw arises from unsanitized, attacker-controlled values — such as parser field names and encoding parameters — being embedded into code compiled with the Function constructor. Applications that accept untrusted parser definitions are at risk; static, hard-coded parsers are not affected. Users should upgrade to binary-parser 2.3.0 and avoid passing user-controlled values into parser definitions.

🔓 Researchers at Israel-based Cyata disclosed three vulnerabilities in Anthropic's official mcp-server-git that enable prompt-injection attacks to influence MCP tool calls and perform unapproved actions. The flaws affect versions prior to 2025.12.18 and are tracked as CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145; together they allow arbitrary git flags, path tampering, file overwrite/deletion, and abuse of git smudge/clean filters to execute code. Cyata and interviewed experts urge an immediate update to the patched release and recommend auditing MCP deployments, restricting Git + Filesystem combinations, applying least-privilege, sanitizing inputs, and adding logging and retrospection for agent actions.

⚠️ Security researchers disclosed two critical vulnerabilities in the Python-based AI app framework Chainlit that allow unauthenticated attackers to read arbitrary server files and trigger SSRF requests. The flaws (CVE-2026-22218 and CVE-2026-22219), fixed in Chainlit 2.9.4, stem from an unvalidated custom Element type exposing path and URL properties. Exploits can leak environment variables, API keys, LLM prompts, and cloud credentials, enabling lateral movement and broader compromise.

⚠️ A critical vulnerability in ACF Extended (CVE-2025-14533) allows unauthenticated attackers to obtain administrative privileges by abusing the plugin's 'Insert User / Update User' form action in versions up to 0.9.2.1. The flaw fails to enforce role restrictions at the form level, enabling attackers to set arbitrary roles, including administrator, when a role field is present. The vendor released a patch in version 0.9.2.2 on December 14, 2025; administrators should update immediately and audit any forms that create or update users because roughly 50,000 sites may still be exposed.

🔒 Unit 42 researchers discovered an Azure Private Endpoint DNS behavior that can unintentionally or deliberately produce denial-of-service conditions for Azure services. In several scenarios — accidental internal, accidental vendor, and malicious actor — linking a Private DNS zone to a virtual network can force name resolution to the private zone and fail when no A record exists, breaking connectivity to otherwise public endpoints. Microsoft documents a partial mitigation (fallback to internet); alternatives include manually adding DNS records and performing comprehensive discovery with Resource Graph.