CVE-2026-41409

Daily digests

The earlier fix for CVE-2024-52046 in Apache MINA was incomplete. The classname allowlist that's supposed to block dangerous deserialization kicks in too late: a malicious class's static initializer can run before the filter ever checks it. If your app calls IoBuffer.getObject(), a remote attacker can execute arbitrary code. CVSS 9.8.

• Daily Digest · Apr 27, 2026

  5 CVSS 9.8s: Apache MINA, WordPress, Totolink