jackson-databind has @JsonView bypass for setterless creator properties

Summary In BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInViewactiveView check. A change making SetterlessProperty.isMerging return true routed setterless...

DEBIAN-CVE-2026-54517

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular...

CVE-2026-54517

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular...

CVE-2026-54517

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular...

CVE-2026-54019

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as...

CVE-2026-54019

Open WebUI CVE-2026-54019 describes an ACL bypass in Milvus multitenancy mode. Before version 0.9.6, collection-level ACL checks exist but can be bypassed when an attacker supplies user-controlled, unknown collection names, which Milvus treats as a resource_id and interpolates into an unsafe expr...

CVE-2026-54019 Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as...

CVE-2026-56424

CVE-2026-56424 affects MISP core and describes multiple broken access-control flaws where authorization checks target the wrong entity or where ownership checks are missing on write paths. In affected subsystems, a lower-privileged authenticated user with relevant feature permissions could cause ...

CVE-2026-56424 Broken access control in MISP core allows cross-organization unauthorized modification or deletion of analyst data, event reports, collections, templates, and decaying models

MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could...

ROOT-APP-MAVEN-CVE-2015-6420 CVE-2015-6420 in io.root.commons-collections:commons-collections - Patched by Root

Root has patched CVE-2015-6420 in the io.root.commons-collections:commons-collections package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2015-7501 CVE-2015-7501 in io.root.commons-collections:commons-collections - Patched by Root

Root has patched CVE-2015-7501 in the io.root.commons-collections:commons-collections package for Root:Maven. Multiple fixed versions available...

CVE-2026-47777

Affected product: Mastodon (open-source social network server). Vulnerable component: remote Collections feature logic for consent verification. Root cause: missing condition to ensure the FeatureAuthorization object on a remote account actually matches the Collection item, allowing forging of co...

CVE-2026-47777 Mastodon has a consent-check bypass in its remote Collections

Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the...

CVE-2026-47777 Mastodon has a consent-check bypass in its remote Collections

Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the...

PT-2026-49260

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.6.0 Description A missing condition in the verification process for remote accounts consenting to be featured in a remote Collection allows attackers to bypass checks and fake consent. An attacker can forge the...

CVE-2026-54361

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-relat...

EUVD-2026-36554

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-relat...

CVE-2026-54361 MISP mass assignment vulnerabilities allow unauthorized modification of ownership and delegation records

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-relat...

CVE-2026-54361

CVE-2026-54361 affects MISP and stems from mass assignment flaws in collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should be server-controlled (e.g., id, org_id, orgc_id, user_id), enabling an authenticated att...

PT-2026-48973

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description Multiple mass assignment issues exist in the handling of collections, tag collections, event delegations, and shadow attributes. Certain controller actions accept user-supplied fields that shoul...