SECURITYWEEK reports that Apache released patches for more than a dozen vulnerabilities affecting HTTP Server and MINA, including critical and high-severity issues that could enable remote code execution. The HTTP Server 2.4.67 update fixes 11 vulnerabilities, with CVE-2026-23918 described as a double-free and possible RCE bug in HTTP/2 handling, and CVE-2026-28780 a heap buffer overflow that could allow DoS and code execution.
Four other CVEs (CVE-2026-29168, CVE-2026-29169, CVE-2026-33007, CVE-2026-24072, CVE-2026-33857, CVE-2026-34032, CVE-2026-34059) relate to DoS or information disclosure, while CVE-2026-33523 involves improper neutralisation of CRLF sequences and CVE-2026-33006 a timing side-channel weakness affecting Digest authentication.
On the MINA side, Apache announced a rollout of MINA 2.2.7 and MINA 2.1.12 with fixes for two critical-severity vulnerabilities, CVE-2026-42778 and CVE-2026-42779, described as incomplete fixes for prior CVEs that could lead to RCE or code execution. Following the upgrade, organisations are advised to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, according to MINA project news.