CVE-2026-41635

Daily digests

Another deserialization bypass in Apache MINA. The resolveClass() method has a code path for static classes and primitives that skips the allowlist entirely, letting an attacker sneak arbitrary classes past the filter and get remote code execution. This is a separate bypass from CVE-2026-41409, fixed in the same release. CVSS 9.8.

• Daily Digest · Apr 27, 2026

  5 CVSS 9.8s: Apache MINA, WordPress, Totolink