Zero-day drop: SicuroWeb SSTI-to-RCE (CVE-2026-22191) + Voltronic UPS preauth root chain (CVE-2026-22192–22199)

Researcher @kmkz_security just dropped two OT-facing zero-day chains with public PoCs after four months of vendor silence. One is a 10-year-old AngularJS sandbox escape shipped in 2026 emergency-lighting gear (CVSS 9.3); the other is a pre-auth path traversal + hardcoded root password on Voltronic UPS cards (CVSS 10.0) that hands attackers a direct pivot into OT infrastructure.