Overview
BeyondTrust has released a security advisory to address a critical vulnerability affecting Remote Support (RS) and Privileged Remote Access (PRA). Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user. Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorised access, data exfiltration, and service disruption.
- CVE-2026-1731 – Improper Neutralisation of Special Elements used in an OS Command vulnerability (CVSSv4 Score: 9.9)
Affected versions: Remote Support: <=25.3.1; Privileged Remote Access <=24.3.4
TP-Link has issued a security notice regarding recently identified vulnerabilities affecting several TP-Link router models. The vulnerability involves a stack buffer overflow, which may allow an attacker on the local network to execute arbitrary code on a vulnerable device. Successful exploitation requires the attacker to already have local network access but could still result in device compromise or service disruption.
- CVE-2026-0630, CVE-2026-0631, CVE-2026-22221-22227, CVE-2026-22229 – Improper Neutralisation of Special Elements used in an OS Command vulnerability (CVSSv4 Score: 8.5)
Affected versions include the following models and firmware versions:
- Archer C50 (EU) V3 — Firmware <180926
- Archer C50 (EU) V4 — Firmware <220923
- Archer C20 (EU) V5 — Firmware <230120
- Archer C60 (EU) V1/V2 — Firmware <200224
- Archer C60 (EU) V3 — Firmware <220923
- Archer A7 (EU) V5 — Firmware <211023
- Archer C7 (EU) V5 — Firmware <211023
Qwik, a security warning was issued for this JavaScript framework because of a vulnerability in a function used by the @builder.io/qwik-city middleware. The problem happens when the function turns form fields into JavaScript objects. However, the function does not block dangerous property names. This means an attacker could send a carefully crafted HTTP POST request with one of these names to modify objects across the entire application.
- CVE2026-25150 – ‘Prototype Pollution’ - Improperly Controlled Modification of Object Prototype Attributes. (CVSSv3.1 Score: 9.3)
Affected versions: Qwik <1.19.0
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
BeyondTrust – Security Advisories
TP-Link – Security Advisory
Qwik – Vulnerability Detail
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.