Skip to main content

Overview

UniFi has released security advisories addressing multiple critical vulnerabilities in UniFi OS devices. These vulnerabilities could allow an attacker with access to the network to exploit improper input validation, path traversal, and improper access control in UniFi OS devices. If successfully exploited an attacker could execute a command injection, access files or make unauthorised changed to the system.

  • CVE-2026-34908: Improper Access Control in UniFi OS Devices (CVSSv3 10.0)
  • CVE-2026-34909: Path Traversal in UniFi OS Devices (CVSSv3 10.0)
  • CVE-2026-34910: Command Injection in UniFi OS Devices (CVSSv3 10.0)

Affected versions: UniFi OS Server <= 5.0.6

 

Cisco has released a security advisory for a critical vulnerability in Cisco Secure Workload. This vulnerability could enable an unauthenticated, remote attacker to access site resources with permissions of the Site Admin role due to insufficient authentication and validation. If successfully exploited, it could allow the attacker to read sensitive information and modify configurations.

  • CVE-2026-20223: Unauthorised API Access in Cisco Secure Workload (CVSSv3 10.0).

Affected versions: all configurations on Cisco Secure Workload Cluster Software on SaaS and on-prem deployments. (This vulnerability only affects internal REST APIs, not the web-based management interface)

 

Drupal has released a security advisory for a critical SQL injection vulnerability in Drupal core. The vulnerability allows an attacker to send specially crafted requests that result in arbitrary SQL injection for websites that use PostgreSQL databases. Information disclosure and, in certain situations, privilege escalation, remote code execution, or other attacks may occur if successfully exploited.

  • CVE-2026-9082: SQL Injection in Drupal (CVSSv3 9.8)

Affected versions: >= 8.9.0 < 10.4.10, >= 10.5.0 < 10.5.10, >= 10.6.0 < 10.6.9, >= 11.0.0 < 11.1.10, >= 11.2.0 < 11.2.12, >= 11.3.0 < 11.3.10

 

Recommended Action    

Organisations are encouraged to review the appropriate security advisory pages and apply the updates:        

UniFi  –       Releases | Ubiquiti Community

Cisco –      Cisco Secure Workload Unauthorized API Access Vulnerability

Drupal –    Drupal core - Highly critical - SQL injection - SA-CORE-2026-004 | Drupal.org

If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.  

Topics

  • Advisory
  • Vulnerability
  • Exploit
  • Patches and Updates