Hi,

The following vulnerability was published for mina2.

CVE-2026-48827[0]:
| Path traversal vulnerability in Apache MINA SSHD bundle sshd-git.
| Lack of path validation in git-upload-pack, git-receive-pack, and
| other git operations allows users authenticated over SSH access to
| git repositories outside the configured git server root directory.
| Applications are affected if they use org.apache.sshd:sshd-git.
| Applications not using sshd-git are not affected.     Users are
| advised to upgrade affected applications to Apche MINA SSHD 2.18.0,
| which fixes the issue.     The issue also is present in the pre-
| release milestones 3.0.0-M1 to 3.0.0-M3 for a new upcoming new major
| version 3.0.0. Again, applications are affected only if they use
| sshd-git. Upgrade affected applications to 3.0.0-M4.     We would
| like to point out that a professional git server should not rely
| solely on file system layout and permissions, but should implement
| additional security controls to govern access to git repositories
| and operations allowed on particular git repositories.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-48827
https://www.cve.org/CVERecord?id=CVE-2026-48827
[1] https://www.openwall.com/lists/oss-security/2026/05/30/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore