PT-2026-36668

Name of the Vulnerable Software and Affected Versions Apache Polaris affected versions not specified Description Apache Polaris issues broad temporary storage credentials during staged table creation before validating or reserving the effective table location. This allows an attacker to direct th...

PT-2026-36669

Name of the Vulnerable Software and Affected Versions Apache Polaris version 1.4.0 Description Apache Polaris allows the use of literal characters in namespace and table names. These characters are reused unescaped in S3 IAM resource patterns and s3:prefix conditions when building temporary S3...

PT-2026-36670

Name of the Vulnerable Software and Affected Versions Apache Polaris version 1.4.0 Description Apache Polaris fails to properly escape namespace and table identifiers when constructing Common Expression Language CEL strings for Google Cloud Storage GCS Credential Access Boundaries CAB. This allow...

PT-2026-36747

CVE-2025-12993 - Apache HTTP Server Cross-Site Scripting Vulnerability CVE ID :CVE-2025-12993 Published : May 1, 2026, 9:16 p.m. | 54 minutes ago Description :Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-67968. Reason: This candidate is a reservation duplicate of...

PT-2026-36748

CVE-2025-8903 - Apache HTTP Server Remote Code Execution Vulnerability CVE ID :CVE-2025-8903 Published : May 1, 2026, 8:16 p.m. | 1 hour, 54 minutes ago Description :Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-2052. Reason: This candidate is a reservation...

PT-2026-36671

Name of the Vulnerable Software and Affected Versions Apache Polaris versions prior to 1.4.1 Description Changing the write.metadata.path table property via an ALTER TABLE settings change allows a user to bypass the commit-time branch intended to revalidate storage locations. This defect enables...

CVE-2026-41409

A flaw was found in Apache MINA. An incomplete fix for a deserialization vulnerability in the AbstractIoBuffer.getObject method allowed a static initializer in a class to be executed before the classname allowlist was applied. This could enable a remote attacker to execute arbitrary code by sendi...

GHSA-VF5J-865M-MQ7C Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass contains two branches, one of them for static classes or primitive types does not check the class at all, bypassing the classname...

com.github.niupengyu.schedule:ahead-schedule-distributed (>=1.2.6-RELEASE <=1.2.8-RELEASE), com.github.niupengyu:ahead-frame-socket (>=1.2.1-RELEASE <=1.2.3-RELEASE) +40 more potentially affected by CVE-2026-42778 via org.apache.mina:mina-core (>=2.1.0 <=2.1.11)

org.apache.mina:mina-core MAVEN version =2.1.0, =1.2.6-RELEASE, =1.2.1-RELEASE, =2.2.1, =2.2.1, =3.0.0, =1.0.0, =3.0.11, =3.6.7, =3.6.7, =3.6.7, =3.6.10 and more Source cves: CVE-2026-42778 Source advisory: OSV:GHSA-995C-6RP3-4M4X...

com.github.niupengyu.schedule:ahead-schedule-distributed (>=1.2.6-RELEASE <=1.2.8-RELEASE), com.github.niupengyu:ahead-frame-socket (>=1.2.1-RELEASE <=1.2.3-RELEASE) +40 more potentially affected by CVE-2026-42779 via org.apache.mina:mina-core (>=2.1.0 <=2.1.11)

org.apache.mina:mina-core MAVEN version =2.1.0, =1.2.6-RELEASE, =1.2.1-RELEASE, =2.2.1, =2.2.1, =3.0.0, =1.0.0, =3.0.11, =3.6.7, =3.6.7, =3.6.7, =3.6.10 and more Source cves: CVE-2026-42779 Source advisory: OSV:GHSA-VF5J-865M-MQ7C...

GHSA-995C-6RP3-4M4X Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41409 Incomplete Fix)

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a stat...

Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass contains two branches, one of them for static classes or primitive types does not check the class at all, bypassing the classname...

Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41409 Incomplete Fix)

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a stat...

ai.platon.pulsar:pulsar-persist (>=1.9.0 <=1.10.23), be.eliwan:eoddata-client (=1.0) +2590 more potentially affected by CVE-2026-42404 via org.apache.neethi:neethi (>=2.0 <=3.2.1)

org.apache.neethi:neethi MAVEN version =2.0, =1.9.0, =1.1.7, =1.1.9, =1.2.5, =3.00.4, =3.00.3, =4.00.10, =11.4-37, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.1.0.RELEASE and more Source cves: CVE-2026-42404 Source advisory: OSV:GHSA-287C-FXR7-3W6C...

GHSA-287C-FXR7-3W6C Apache Neethi doesn't impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP...

com.github.niupengyu.schedule:ahead-schedule-distributed (>=1.2.6-RELEASE <=1.2.8-RELEASE), com.github.niupengyu:ahead-frame-socket (>=1.2.1-RELEASE <=1.2.3-RELEASE) +40 more potentially affected by CVE-2026-42779 via org.apache.mina:mina-core (>=2.1.0 <=2.1.11)

org.apache.mina:mina-core MAVEN version =2.1.0, =1.2.6-RELEASE, =1.2.1-RELEASE, =2.2.1, =2.2.1, =3.0.0, =1.0.0, =3.0.11, =3.6.7, =3.6.7, =3.6.7, =3.6.10 and more Source cves: CVE-2026-42779 Source advisory: SNYK:JAVA-ORGAPACHEMINA-16354036...

Deserialization of Untrusted Data

Overview org.apache.mina:mina-core is a network application framework which helps users develop high performance and high scalability network applications easily. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the resolveClass function in AbstractIoBuffe...

ai.h2o:sparkling-water-core_2.11 (>=3.46.0.1-1-2.3 <=3.46.0.6-1-2.4), ai.h2o:sparkling-water-core_2.12 (>=3.46.0.1-1-3.0 <=3.46.0.6-1-3.5) +761 more potentially affected by CVE-2026-42778 via org.apache.mina:mina-core (>=2.2.0 <=2.2.6)

org.apache.mina:mina-core MAVEN version =2.2.0, =3.46.0.1-1-2.3, =3.46.0.1-1-3.0, =3.46.0.1-1-2.3, =3.46.0.1-1-3.0, =3.46.0.1-1-2.3, =3.46.0.1-1-3.0, =3.46.0.1-1-2.3, =3.46.0.1-1-3.0, =1.5.4.RELEASE, =0.0.2, =3.0.0, =1.0.9, =1.6.9, =1.2.5, =1.1.7, =1.2.8 and more Source cves: CVE-2026-42778 Sourc...

Deserialization of Untrusted Data

Overview org.apache.mina:mina-core is a network application framework which helps users develop high performance and high scalability network applications easily. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the IoBuffer.getObject function. An attacker...

ai.platon.pulsar:pulsar-persist (>=1.9.0 <=1.10.23), be.eliwan:eoddata-client (=1.0) +2282 more potentially affected by CVE-2026-42404 via org.apache.neethi:neethi (>=3.0.0 <=3.2.1)

org.apache.neethi:neethi MAVEN version =3.0.0, =1.9.0, =1.1.7, =1.1.9, =1.2.5, =3.00.4, =3.00.3, =4.00.10, =11.4-37, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.1.0.RELEASE and more Source cves: CVE-2026-42404 Source advisory: SNYK:JAVA-ORGAPACHENEETHI-16354029...