Lucene search
K

2933 matches found

CVE
CVE
added 2026/06/23 8:56 p.m.92 views

CVE-2026-54512

jackson-databind contains a PolymorphicTypeValidator (PTV) bypass vulnerability. When polymorphic typing is enabled and the type ID includes generic parameters, DatabindContext._resolveAndValidateGeneric() validates only the raw container class name, then parses the full canonical type without va...

8.1CVSS5.8AI score0.00617EPSS
Exploits1References3Affected Software1
Debian CVE
Debian CVE
added 2026/06/23 8:56 p.m.6 views

CVE-2026-54512

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic...

8.1CVSS5.8AI score0.00617EPSS
Exploits1
EUVD
EUVD
added 2026/06/23 8:53 p.m.7 views

EUVD-2026-38593

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray allowlists any array type based only on clazz.isArray, without validating th...

8.1CVSS5.8AI score0.00677EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/23 8:53 p.m.32 views

CVE-2026-54513 jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray allowlists any array type based only on clazz.isArray, without validating th...

8.1CVSS0.00677EPSS
Exploits0References6
CVE
CVE
added 2026/06/23 8:53 p.m.84 views

CVE-2026-54513

CVE-2026-54513 affects jackson-databind. A vulnerability in BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allows bypass of per-element allowlists when deserializing arrays, if the array element type is not explicitly allowlisted, potentially enabling dangerous types like EvilType[...

8.1CVSS5.8AI score0.00677EPSS
Exploits0References9Affected Software1
EUVD
EUVD
added 2026/06/23 8:51 p.m.8 views

EUVD-2026-38592

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution fo...

5.3CVSS5.9AI score0.00219EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/23 8:51 p.m.27 views

CVE-2026-54514 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution fo...

5.3CVSS0.00219EPSS
Exploits0References3
CVE
CVE
added 2026/06/23 8:51 p.m.76 views

CVE-2026-54514

CVE-2026-54514 affects jackson-databind’s InetSocketAddress handling during deserialization. From 2.0.0 up to fixes in 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress(host, port), causing eager DNS resolution at readValue time and enabling an attacker to trigger...

5.3CVSS5.9AI score0.00219EPSS
Exploits0References3Affected Software1
Debian CVE
Debian CVE
added 2026/06/23 8:51 p.m.8 views

CVE-2026-54514

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution fo...

5.3CVSS5.9AI score0.00219EPSS
Exploits0
Cvelist
Cvelist
added 2026/06/23 8:50 p.m.26 views

CVE-2026-54515 jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnoreProperties

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual, per-property @JsonIgnoreProperties exclusions are applied by handleByNameInclusion, producing a...

5.3CVSS0.00345EPSS
Exploits0References4
CVE
CVE
added 2026/06/23 8:50 p.m.194 views

CVE-2026-54515

CVE-2026-54515 affects jackson-databind where, from 2.8.0 up to 2.18.9, 2.21.5 and 3.1.4, per-property @JsonIgnoreProperties exclusions are bypassed during a case-insensitive deserialization, making ignored properties writable again. The root cause is in BeanDeserializerBase.createContextual(), w...

5.3CVSS5.8AI score0.00345EPSS
Exploits0References4Affected Software1
Debian CVE
Debian CVE
added 2026/06/23 8:50 p.m.5 views

CVE-2026-54515

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual, per-property @JsonIgnoreProperties exclusions are applied by handleByNameInclusion, producing a...

5.3CVSS5.8AI score0.00345EPSS
Exploits0
CVE
CVE
added 2026/06/23 8:48 p.m.53 views

CVE-2026-54516

The CVE-2026-54516 vulnerability affects jackson-databind where, from 2.21.0 through 2.21.4 and in 3.1.4, POJOPropertiesCollector._renameProperties() can rename a property annotated with @JsonProperty("renamed") on the getter while the setter is annotated with @JsonIgnore. When MapperFeature.INFE...

5.3CVSS5.9AI score0.00282EPSS
Exploits0References5Affected Software1
Debian CVE
Debian CVE
added 2026/06/23 8:48 p.m.6 views

CVE-2026-54516

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector.renameProperties allows a property with @JsonProperty"renamed" on the getter and @JsonIgnore on the setter to be renamed...

5.3CVSS5.9AI score0.00282EPSS
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/06/23 8:47 p.m.7 views

CVE-2026-54517

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular...

5.3CVSS5.9AI score0.00237EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/06/23 8:47 p.m.9 views

EUVD-2026-38589

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular...

5.3CVSS5.9AI score0.00237EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/23 8:47 p.m.29 views

CVE-2026-54517 jackson-databind: @JsonView bypass for setterless creator properties

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular...

5.3CVSS0.00237EPSS
Exploits0References5
CVE
CVE
added 2026/06/23 8:47 p.m.39 views

CVE-2026-54517

Summary: CVE-2026-54517 affects jackson-databind. In BeanDeserializer._deserializeUsingPropertyBased, the active-view filter was only applied to creator properties; the path for regular properties lacked a visibleInView check. This allowed setterless Collection/Map properties annotated with a res...

5.3CVSS5.9AI score0.00237EPSS
Exploits0References5Affected Software1
Debian CVE
Debian CVE
added 2026/06/23 8:47 p.m.5 views

CVE-2026-54517

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular...

5.3CVSS5.9AI score0.00237EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.12 views

PT-2026-51599

Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.21.0 through 2.21.3 jackson-databind versions 3.0.0 through 3.1.3 Description An issue exists in the POJOPropertiesCollector. renameProperties function where a property with @JsonProperty"renamed" on the getter and...

5.3CVSS5.8AI score0.00282EPSS
Exploits0References13
Rows per page
Query Builder