2 matches found
GHSA-995C-6RP3-4M4X Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41409 Incomplete Fix)
The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a stat...
UBUNTU-CVE-2026-42779
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass contains two branches, one of them for static classes or primitive types does not check the class at all, bypassing the classname...