LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-42778

CVE-2026-42778 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 1, 2026

Apache MINA - Insecure Deserialization

Published: May 1, 2026Updated: May 1, 2026PoC AvailableRemote Exploitable

Overview

Apache MINA 2.1.0 <= 2.1.11 and 2.2.0 <= 2.2.6 contain an insecure deserialization caused by late application of classname allowlist in AbstractIoBuffer.getObject(), letting attackers execute code via deserialization, exploit requires calling IoBuffer.getObject().

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 14.4%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary code via deserialization, potentially leading to full system compromise.

Mitigation

Upgrade to Apache MINA 2.1.12 or 2.2.7 or later.

References

Social Media Activity(3 posts)

Yazoul - Cybersecurity Alerts
Yazoul - Cybersecurity Alerts
@Matchbook3469
May 2, 2026

šŸ”“ New security advisory: CVE-2026-42778 affects Apache Mina. ā€¢ Impact: Remote code execution or complete system compromise possible ā€¢ Risk: Attackers can gain full control of affected systems ā€¢ Mitigation: Patch immediately or isolate affected systems Full breakdown: https://www.yazoul.net/advisory/cve/cve-2026-42778-apache-mina-iobuffer-rce-patch-bypass #InfoSec #PatchNow #InfoSecCommunity

View original post
TheHackerWire
TheHackerWire
@thehackerwire
May 1, 2026

šŸ”“ CVE-2026-42778 - Critical (9.8) The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allo... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-42778/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
May 1, 2026

šŸšØ CRITICAL: CVE-2026-42778 impacts Apache MINA 2.1.X & 2.2.X ā€” deserialization flaw in IoBuffer.getObject() due to incomplete previous fix. Upgrade to 2.1.12 or 2.2.7 to mitigate RCE risk. Details: https://radar.offseq.com/threat/cve-2026-42778-cwe-502-deserialization-of-untruste-db0b103e #OffSeq #ApacheMINA #Vuln #AppSec

View original post

Related Resources

Details

CVE ID
CVE-2026-42778
Severity
Critical
CVSS Score
9.8
Type
insecure_deserialization
Status
confirmed
EPSS
14.4%
Social Posts
3

CWE

  • CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

14.4%Probability of exploitation in the next 30 days