remote code execution | Breaking Cybersecurity News | The Hacker News

A critical security flaw has been disclosed in the GNU InetUtils telnet daemon ( telnetd ) that went unnoticed for nearly 11 years. The vulnerability, tracked as CVE-2026-24061 , is rated 9.8 out of 10.0 on the CVSS scoring system. It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7. "Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a '-f root' value for the USER environment variable," according to a description of the flaw in the NIST National Vulnerability Database (NVD). In a post on the oss-security mailing list, GNU contributor Simon Josefsson said the vulnerability can be exploited to gain root access to a target system - The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter. If the client supply [sic] a carefully crafted USER environment value being the string "-f root...

A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch. The vulnerability, which currently does not have a CVE identifier, is tracked by watchTowr Labs as WT-2026-0001 . It was patched by SmarterTools on January 15, 2026, with Build 9511 , following responsible disclosure by the exposure management platform on January 8, 2026. It has been described as an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by means of a specially crafted HTTP request to the "/api/v1/auth/force-reset-password" endpoint. "The kicker of course being that said user is able to use RCE-as-a-feature functions to directly execute OS [operating system] commands," watchTowr Labs researchers Piotr Bazydlo and Sina Kheirkhah said. The problem is rooted in the function "SmarterMail.Web.Api.AuthenticationController.ForceResetPassword,"...

Cisco has released fresh patches to address what it described as a "critical" security vulnerability impacting multiple Unified Communications (CM) products and Webex Calling Dedicated Instance that it has been actively exploited as a zero-day in the wild. The vulnerability, CVE-2026-20045 (CVSS score: 8.2), could permit an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of a susceptible device. "This vulnerability is due to improper validation of user-supplied input in HTTP requests," Cisco said in an advisory. "An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root." The critical rating for the flaw is due to the fact that its exploitation could allow for privil...

Zoom and GitLab have released security updates to resolve a number of security vulnerabilities that could result in denial-of-service (DoS) and remote code execution. The most severe of the lot is a critical security flaw impacting Zoom Node Multimedia Routers (MMRs) that could permit a meeting participant to conduct remote code execution attacks. The vulnerability, tracked as CVE-2026-22844 and discovered internally by its Offensive Security team, carries a CVSS score of 9.9 out of 10.0. "A command injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access," the company noted in a Tuesday alert. Zoom is recommending that customers using Zoom Node Meetings, Hybrid, or Meeting Connector deployments update to the latest available MMR version to safeguard against any potential threat. There is no evidence that the security flaw has been exploited ...

A security vulnerability has been disclosed in the popular binary-parser npm library that, if successfully exploited, could result in the execution of arbitrary JavaScript. The vulnerability, tracked as CVE-2026-1245 (CVSS score: 6.5), affects all versions of the module prior to version 2.3.0 , which addresses the issue. Patches for the flaw were released on November 26, 2025. Binary-parser is a widely used parser builder for JavaScript that allows developers to parse binary data. It supports a wide range of common data types, including integers, floating-point values, strings, and arrays. The package attracts approximately 13,000 downloads on a weekly basis. According to an advisory released by the CERT Coordination Center (CERT/CC), the vulnerability has to do with a lack of sanitization of user-supplied values, such as parser field names and encoding parameters, when the JavaScript parser code is dynamically generated at runtime using the "Function" constructor. ...