PT-2026-36314 · Apache · Apache Mina

Published

2026-05-01

Updated

2026-06-04

CVE-2026-42778

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache MINA versions prior to 2.2.7 Apache MINA versions prior to 2.1.12

Description An issue exists in the Java network application framework due to flaws in the deserialization mechanism. The software deserializes data from unknown network sources without proper validation. When a client sends specially crafted serialized Java objects, the system reconstructs these objects, which can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information, potentially leading to remote code execution.

Recommendations Update to version 2.2.7. Update to version 2.1.12.

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2026-06347

CLEANSTART-2026-DD05788

CLEANSTART-2026-LE11246

CLEANSTART-2026-LO22603

CLEANSTART-2026-RN56220

CVE-2026-42778

GHSA-995C-6RP3-4M4X

OESA-2026-2241

OESA-2026-2242

OESA-2026-2243

OESA-2026-2244

OESA-2026-2245

Affected Products

Apache Mina

PT-2026-36314 · Apache · Apache Mina

CVE-2026-42778

Weakness Enumeration

Related Identifiers

Affected Products

References · 279