Apache on Monday launched patches for over a dozen vulnerabilities in HTTP Server and MINA, together with essential and high-severity points that might be exploited for distant code execution (RCE).
Apache HTTP Server 2.4.67 was launched with fixes for 11 vulnerabilities, 10 of which have an effect on all earlier releases.
The primary is CVE-2026-23918, a double-free and potential RCE bug within the HTTP/2 protocol dealing with. By triggering an early reset, an attacker might trigger a denial-of-service (DoS) situation and doubtlessly execute arbitrary code.
Subsequent in line is CVE-2026-28780, a heap buffer overflow difficulty that might enable distant attackers to ship crafted AJP messages to trigger a DoS situation and execute code.
Three different security defects, CVE-2026-29168, CVE-2026-29169, and CVE-2026-33007, might result in DoS situations, whereas 4, specifically CVE-2026-24072, CVE-2026-33857, CVE-2026-34032, and CVE-2026-34059, might result in data disclosure.
The replace additionally addresses an improper neutralization of CRLF sequences difficulty, tracked as CVE-2026-33523, which permits attackers to control HTTP responses, and a timing side-channel weak point (CVE-2026-33006) that might result in Digest authentication bypass.
On Monday, Apache introduced the rollout of MINA 2.2.7 and MINA 2.1.12 with fixes for 2 critical-severity vulnerabilities that ought to have been addressed in earlier releases.
The primary, CVE-2026-42778, is described as an incomplete repair for CVE-2026-41409, which in flip is an incomplete repair for CVE-2024-52046, an insecure deserialization of knowledge that might be exploited for RCE.
The second is CVE-2026-42779, an incomplete repair for CVE-2026-41635, an improper test flaw resulting in allowlist bypass and code execution.
Following the improve to a patched launch, Apache says, organizations have to “explicitly enable the courses the decoder will settle for within the ObjectSerializationDecoder occasion”.
