VDB

CVE-2026-41635

CVE-2026-41635 PUBLISHED CVSS 9.800000190734863 CRITICAL

CVE-2026-41635 is an arbitrary code execution vulnerability in Apache MINA. The AbstractIoBuffer.resolveClass() method contains two branches, where one of them performs no class validation, bypassing the classname allowlist entirely. This results in arbitrary code execution. Systems affected are applications using Apache MINA that call the IoBuffer.getObject() method.

EPSS 0.06% · 18.7th percentile

Risk Scores

CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.06%
18.7th percentile

Affected Products

VendorProductVersions
ApacheApache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5

Timeline

  • Apr 27, 2026 CVE Published
  • May 8, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score
  • May 26, 2026 EPSS Score
  • May 27, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›