In this week’s Security Advisory

• Oracle Patches Over 200 Vulnerabilities in Quarterly Patch
• TP-Link Patches Vulnerability Exposing VIGI Cameras to Remote Attackers
• Chainlit Patches Two High Severity Vulnerabilities
• Gitlab Patches 2FA Bypass Vulnerability
• ACF WordPress Plugin Allows Attacks to Attain Admin Privileges

Oracle Patches Over 200 Vulnerabilities in Quarterly Patch

Oracle has released patches for over 200 unique vulnerabilities in its first quarterly patch cycle this year. About 30 of these vulnerabilities are of critical severity. One of the most concerning vulnerabilities is CVE-2026-21962 (CVSS 10/10), which can be exploited remotely without authentication in Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in.

Affected Versions

• A full list of affected versions can be found here.

Recommendations

• Apply the latest patches.

More Reading / Information

• https://www.oracle.com/security-alerts/cpujan2026.html
• https://www.securityweek.com/oracles-first-2026-cpu-delivers-337-new-security-patches/

TP-Link Patches Vulnerability Exposing VIGI Cameras to Remote Attackers

TP-Link has patched a high severity vulnerability for more than 32 of its VIGI C and VIGI InSight series professional surveillance camera models. The vulnerability, CVE-2026-0629 (CVSS 8.7/10), allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state, therefore enabling them to gain full admin access to the device. Researchers have identified that more than 2,500 internet-exposed cameras worldwide may have been vulnerable to attacks.

Affected Versions

• A full list of affected versions can be found here.

Recommendations

• Download and update to the latest firmware version.

More Reading / Information

• https://www.securityweek.com/tp-link-patches-vulnerability-exposing-vigi-cameras-to-hacking/
• https://www.tp-link.com/us/support/faq/4906/
• https://nvd.nist.gov/vuln/detail/CVE-2026-0629

Chainlit Patches Two High Severity Vulnerabilities

Chainlit is an open-source Python package used for building conversational AI applications, with a total of over seven million downloads. Chainlit recently patched two high-severity vulnerabilities, CVE-2026-22218 (CVSS 7.1/10) and CVE-2026-22219 (CVSS 8.3/10), that can allow a threat actor to read files and make requests to internal network services. These vulnerabilities can be chained together to let an attacker escalate their privileges and move laterally within the system.

Affected Versions

• Chainlit versions before 2.9.4.

Recommendations

• Upgrade to version 2.9.4 or higher.

More Reading / Information

• https://www.securityweek.com/chainlit-vulnerabilities-may-leak-sensitive-information/
• https://thehackernews.com/2026/01/chainlit-ai-framework-flaws-enable-data.html

Gitlab Patches 2FA Bypass Vulnerability

GitLab has patched a high-severity two-factor authentication bypass impacting community and enterprise editions of its software development platform. The vulnerability, CVE-2026-0723, is caused by an unchecked return value weakness in GitLab’s authentication services. This can allow an attacker who knows another user’s account ID to bypass two-factor authentication.

Affected Versions

• GitLab Community Edition (CE) and Enterprise Edition (EE) versions 18.6 to 18.6.3.
• GitLab Community Edition (CE) and Enterprise Edition (EE) versions 18.7 to 18.7.1.
• GitLab Community Edition (CE) and Enterprise Edition (EE) versions 18.8 to 18.8.1.

Recommendations

• Upgrade to one of GitLab Community Edition (CE) and Enterprise Edition (EE) versions 18.8.2, 18.7.2, and 18.6.4.

More Reading / Information

• https://www.bleepingcomputer.com/news/security/gitlab-warns-of-high-severity-2fa-bypass-denial-of-service-flaws/
• https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/#cve-2026-0723—unchecked-return-value-issue-in-authentication-services-impacts-gitlab-ceee

ACF WordPress Plugin Allows Unauthenticated Attackers to Attain Admin Privileges

ACF Extended is a specialized plugin that extends the capabilities of the Advanced Custom Fields (ACF) plugin with features for developers and advanced site builders. The vulnerability, CVE-2025-14533, can allow an unauthenticated remote attacker to gain admin privileges by abusing the plugin’s ‘Insert User / Update User’ form action. Wordfence notes that the issue is only exploitable on sites that explicitly use a ‘Create User’ or ‘Update User’ form with a role field mapped.

Affected Versions

• ACF Extended 0.9.2.1 and earlier.

Recommendations

• ACF Extended version 0.9.2.2.

More Reading / Information

• https://www.bleepingcomputer.com/news/security/acf-plugin-bug-gives-hackers-admin-on-50-000-wordpress-sites/
• https://www.wordfence.com/blog/2026/01/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.