CVE-2026-41409 Apache MINA: CWE-502 Deserialization of Untrusted Data

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 =...

CVE-2026-41635

Apache MINA's AbstractIoBuffer.resolveClass contains two branches, one of them for static classes or primitive types does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class...

DEBIAN-CVE-2026-41635

Apache MINA's AbstractIoBuffer.resolveClass contains two branches, one of them for static classes or primitive types does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class...

EUVD-2026-25796

Apache MINA's AbstractIoBuffer.resolveClass contains two branches, one of them for static classes or primitive types does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class...

Apache MINA 代码问题漏洞

Apache MINA is a web application framework developed by the Apache Foundation in the United States. This product is primarily used for developing high-performance and highly scalable web applications. There were code vulnerabilities in versions 2.0.0 to 2.0.27, 2.1.0 to 2.1.10, and 2.2.0 to 2.2.5...

OSV-2026-504 Heap-use-after-free in ObjectStream::getObject

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=498251261 Crash type: Heap-use-after-free READ 4 Crash state: ObjectStream::getObject XRef::fetch XRef::fetch...

Linux Distros Unpatched Vulnerability : CVE-2020-28282

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution...

CVE-2024-52046 Apache MINA: MINA applications using unbounded deserialization may allow RCE

The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious...

MinIO 安全漏洞

MinIO is a high-performance object storage service released under the GNU Affero General Public License v3.0. A security vulnerability exists in version MinIO RELEASE.2022-10-02T19-29-29Z, which stems from the disclosure of information about the presence of If-Modified-Since, If-Unmodified-Since...

CVE-2023-40517

LG SuperSign Media Editor ContentRestController getObject Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG SuperSign Media Editor. Authentication is not required to exploit this...

CVE-2023-40517

LG SuperSign Media Editor ContentRestController getObject Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG SuperSign Media Editor. Authentication is not required to exploit this...

CVE-2023-40517 LG SuperSign Media Editor ContentRestController getObject Directory Traversal Information Disclosure Vulnerability

LG SuperSign Media Editor ContentRestController getObject Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG SuperSign Media Editor. Authentication is not required to exploit this...

PT-2023-27495 · Lg · Lg Supersign Media Editor

Name of the Vulnerable Software and Affected Versions: LG SuperSign Media Editor affected versions not specified Description: This issue allows remote attackers to disclose sensitive information on affected installations of LG SuperSign Media Editor. Authentication is not required to exploit this...

Cross-site Scripting (XSS)

github.com/treeverse/lakefs is vulnerable to Cross-site Scripting XSS. The vulnerability exists in the controller.go and getobject.go, which allows an attacker to inject and execute malicious JavaScript when opening a direct link to an HTML file via lakeFS...

Null pointer dereference

pdf2json v0.71 was discovered to contain a NULL pointer dereference in the component ObjectStream::getObject...

CVE-2020-23879

CVE-2020-23879 affects pdf2json v0.71, with a NULL pointer dereference in ObjectStream::getObject. The vulnerability is documented across multiple feeds (NVD entry and Red Hat/CNVD/etc.), but the connected documents do not specify a vendor patch or remediation version. Impact details from NVD ind...

Prototype pollution in getobject

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution...

GHSA-957J-59C2-J692 Prototype pollution in getobject

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution...

3d-preview (>=1.0.0 <=1.0.1), 3dviewercomponent (=1.0.0) +2565 more potentially affected by CVE-2020-28282 via getobject (=0.1.0)

getobject NPM version =0.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on getobject and may be impacted: - 3d-preview =1.0.0, =0.0.2, =1.0.1, =1.0.0, =0.0.1, =1.0.0-alpha1, =0.1.0, =0.4.0, =0.0.9, =0.0.6, =0.12.0-edge9, =0.0.5, =0.0.2, =1.0.1 and mo...

CVE-2020-19465

An issue has been found in function ObjectStream::getObject in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an invalid read of size 4...