org.apache.mina:mina-core (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.mina:mina-core, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (7)
CVE-2026-41409 — CVSS 9.8 (critical): The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be…
CVE-2026-42778 — CVSS 9.8 (critical): The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for…
CVE-2026-42779 — CVSS 9.8 (critical): The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's…
CVE-2024-52046 — CVSS 9.8 (critical): The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks…
CVE-2026-41635 — CVSS 9.8 (critical): Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the…
CVE-2019-0231 — CVSS 7.5 (high): Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to…
CVE-2021-41973 — CVSS 6.5 (medium): In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed…