CVE-2026-41409 Apache MINA: CWE-502 Deserialization of Untrusted Data

🗓️ 27 Apr 2026 09:20:12Reported by apacheType

CVE-2026-41409 in Apache MINA deserialization fixed by earlier allowlist; upgrade to 2.0.28, 2.1.11, or 2.2.6.

Reporter	Title	Published	Views	Family All 49
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM DataStax Enterprise	27 May 202617:14	–	ibm
ATTACKERKB	CVE-2026-42778	1 May 202610:01	–	attackerkb
ATTACKERKB	CVE-2026-41409	27 Apr 202609:20	–	attackerkb
Chainguard	CVE-2026-41409 vulnerabilities	7 May 202601:17	–	cgr
Circl	CVE-2026-41409	29 Apr 202620:07	–	circl
CNNVD	Apache MINA 代码问题漏洞	27 Apr 202600:00	–	cnnvd
CVE	CVE-2026-41409	27 Apr 202609:20	–	cve
Debian CVE	CVE-2026-41409	27 Apr 202609:20	–	debiancve
EUVD	EUVD-2026-25809	27 Apr 202609:20	–	euvd
F5 Networks	K000161244: Apache MINA vulnerabilities CVE-2026-42778 and CVE-2026-42779	13 May 202606:23	–	f5

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2/org/apache/mina/",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.mina:mina.core",
    "product": "Apache MINA",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "2.2.5",
        "status": "affected",
        "version": "2.2.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "2.1.10",
        "status": "affected",
        "version": "2.1.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "2.0.27",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
lists	www.lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9

27 Apr 2026 09:20Current

CVSS 3.19.8

EPSS0.00451

CWE-502