On Monday, Apacheannouncedthe rollout of MINA 2.2.7 and MINA 2.1.12 with fixes for two critical-severity vulnerabilities that should have been addressed in previous releases.The first, CVE-2026-42778, is described as an incomplete fix for CVE-2026-41409, which in turn is an incomplete fix for CVE-2024-52046, an insecure deserialization of data that could be exploited for RCE.The second is CVE-2026-42779, an incomplete fix for CVE-2026-41635, an improper check flaw leading to allowlist bypass and code execution.Following the upgrade to a patched release, Apachesays, organizations need to “explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance”.Related:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:No Patch for New PhantomRPC Privilege Escalation Technique in WindowsRelated:Incomplete Windows Patch Opens Door to Zero-Click AttacksRelated:Vulnerabilities Patched in CrowdStrike, Tenable Products

The first, CVE-2026-42778, is described as an incomplete fix for CVE-2026-41409, which in turn is an incomplete fix for CVE-2024-52046, an insecure deserialization of data that could be exploited for RCE.The second is CVE-2026-42779, an incomplete fix for CVE-2026-41635, an improper check flaw leading to allowlist bypass and code execution.Following the upgrade to a patched release, Apachesays, organizations need to “explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance”.Related:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:No Patch for New PhantomRPC Privilege Escalation Technique in WindowsRelated:Incomplete Windows Patch Opens Door to Zero-Click AttacksRelated:Vulnerabilities Patched in CrowdStrike, Tenable Products

The second is CVE-2026-42779, an incomplete fix for CVE-2026-41635, an improper check flaw leading to allowlist bypass and code execution.Following the upgrade to a patched release, Apachesays, organizations need to “explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance”.Related:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:No Patch for New PhantomRPC Privilege Escalation Technique in WindowsRelated:Incomplete Windows Patch Opens Door to Zero-Click AttacksRelated:Vulnerabilities Patched in CrowdStrike, Tenable Products

Following the upgrade to a patched release, Apachesays, organizations need to “explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance”.Related:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:No Patch for New PhantomRPC Privilege Escalation Technique in WindowsRelated:Incomplete Windows Patch Opens Door to Zero-Click AttacksRelated:Vulnerabilities Patched in CrowdStrike, Tenable Products

Related:SonicWall Urges Immediate Patching of Firewall VulnerabilitiesRelated:No Patch for New PhantomRPC Privilege Escalation Technique in WindowsRelated:Incomplete Windows Patch Opens Door to Zero-Click AttacksRelated:Vulnerabilities Patched in CrowdStrike, Tenable Products

Related:No Patch for New PhantomRPC Privilege Escalation Technique in WindowsRelated:Incomplete Windows Patch Opens Door to Zero-Click AttacksRelated:Vulnerabilities Patched in CrowdStrike, Tenable Products

Related:Incomplete Windows Patch Opens Door to Zero-Click AttacksRelated:Vulnerabilities Patched in CrowdStrike, Tenable Products

Related:Vulnerabilities Patched in CrowdStrike, Tenable Products

Ionut Arghire is an international correspondent for SecurityWeek.

In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities.

Source: SecurityWeek