org.apache.mina:mina-core 2.2.6

Direct Vulnerabilities

Known vulnerabilities in the org.apache.mina:mina-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Deserialization of Untrusted Data org.apache.mina:mina-core is a network application framework which helps users develop high performance and high scalability network applications easily. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `resolveClass` function in `AbstractIoBuffer` when the null-clazz branch skips the acceptMatchers filter. An attacker can achieve arbitrary code execution by sending specially crafted serialized objects to applications that invoke `IoBuffer.getObject()`. Note: This vulnerability was originally reported as fixed in 2.1.11 and 2.2.6, and assigned CVE-2026-41635. But the respective fixes were not applied to the 2.1 and 2.2 branches until 2.1.12 and 2.2.7. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.mina:mina-core` to version 2.1.12, 2.2.7 or higher.	[2.1.0,2.1.12)[2.2.0,2.2.7)
C Deserialization of Untrusted Data org.apache.mina:mina-core is a network application framework which helps users develop high performance and high scalability network applications easily. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the `IoBuffer.getObject` function. An attacker can execute arbitrary code by supplying specially crafted serialized data to be deserialized. Note: This is a bypass of the fix for CVE-2024-52046. Note: This vulnerability was originally reported as fixed in 2.1.11 and 2.2.6, and assigned CVE-2026-41409. But the respective fixes were not applied to the 2.1 and 2.2 branches until 2.1.12 and 2.2.7. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.mina:mina-core` to version 2.1.12, 2.2.7 or higher.	[2.1.0,2.1.12)[2.2.0,2.2.7)

Vulnerability

Vulnerable Version

Deserialization of Untrusted Data

org.apache.mina:mina-core is a network application framework which helps users develop high performance and high scalability network applications easily.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the resolveClass function in AbstractIoBuffer when the null-clazz branch skips the acceptMatchers filter. An attacker can achieve arbitrary code execution by sending specially crafted serialized objects to applications that invoke IoBuffer.getObject().

Note: This vulnerability was originally reported as fixed in 2.1.11 and 2.2.6, and assigned CVE-2026-41635. But the respective fixes were not applied to the 2.1 and 2.2 branches until 2.1.12 and 2.2.7.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.mina:mina-core to version 2.1.12, 2.2.7 or higher.

[2.1.0,2.1.12)[2.2.0,2.2.7)

Deserialization of Untrusted Data

org.apache.mina:mina-core is a network application framework which helps users develop high performance and high scalability network applications easily.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the IoBuffer.getObject function. An attacker can execute arbitrary code by supplying specially crafted serialized data to be deserialized.

Note: This is a bypass of the fix for CVE-2024-52046.

Note: This vulnerability was originally reported as fixed in 2.1.11 and 2.2.6, and assigned CVE-2026-41409. But the respective fixes were not applied to the 2.1 and 2.2 branches until 2.1.12 and 2.2.7.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.mina:mina-core to version 2.1.12, 2.2.7 or higher.

[2.1.0,2.1.12)[2.2.0,2.2.7)

org.apache.mina:mina-core@2.2.6

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically