CVE-2026-41731

A flaw was found in the spring-kafka component. A remote attacker, by supplying crafted header values, could exploit a vulnerability in JsonKafkaHeaderMapper and DefaultKafkaHeaderMapper that incorrectly matched type headers against trusted packages. This issue, combined with Jackson's default be...

EUVD-2026-35908

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted...

CVE-2026-40899

DataEase

Apache Spark Deserialization Vulnerability

Apache Spark is a large-scale data processing engine that supports acyclic data streaming and in-memory computing from the Apache Foundation. Apache Spark suffers from a deserialization vulnerability. The vulnerability stems from the Spark History Web UI's overly lax Jackson deserialization of...

EUVD-2025-208669

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the Jackson implementation in the Spark History Server web UI. An attacker who can write event logs can achieve code execution by injecting malicious JSON payloads into event log files, which are the...

CVE-2025-54920

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson...

CVE-2025-54920 Apache Spark: Spark History Server Code Execution Vulnerability

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson...

CVE-2025-54920

The CVE-2025-54920 entry describes a code execution vulnerability in Apache Spark prior to 3.5.7 and 4.0.1, originating from the Spark History Server’s oversized Jackson deserialization of event log data. The issue uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListe...

Apache Spark 代码问题漏洞

Apache Spark is a large-scale data processing engine that supports acyclic data streaming and in-memory computing from the Apache Foundation. Apache Spark suffers from a deserialization vulnerability. The vulnerability stems from the Spark History Web UI's overly lax Jackson deserialization of...

PT-2026-25504

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson...

Exploit for Incomplete List of Disallowed Inputs in Fasterxml Jackson-Databind

🔥 Jackson RCE Exploiter - Enterprise Bypass Edition !Versi...

PT-2025-34835 · Git · Json2Avro

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=438873397 Crash type: Security exception Crash state: com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.deser com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.mapOb...

SUSE CVE-2018-19361

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization...

GHSA-QJW2-HR98-QGFH Unsafe Deserialization in jackson-databind

FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration...

Exploit for Deserialization of Untrusted Data in Fasterxml Jackson-Databind

CVE-2020-8840 Jackson-databind远程代码执行漏洞（CVE-2020-8840）分析复现环境代码。 项目包含： jackson-databind、Fastjson中payload WebServer恶意类 编译好的marshalsec-0.0.3-SNAPSHOT-all.jar 漏洞简介 Jackson-databind远程代码执行漏洞（CVE-2020-8840），攻击者可利用xbean-reflect的利用链（org.apache.xbean.propertyeditor.JndiConverter）触发JNDI远程类加载从而达到远程代码执行。...

GHSA-6WQP-V4V6-C87C Deserialization of Untrusted Data

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled either globally or for a specific property, the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to ma...

UBUNTU-CVE-2018-1000873

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service DoS. This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the...

GHSA-VVJC-Q5VR-52Q6 Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks

Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various...

Remote Code Execution (RCE)

jackson-databind is vulnerable to remote code execution RCE attacks. Attackers can exploit an incomplete fix of CVE-2017-7525 and CVE-2017-17485 to bypass the blacklist during Jackson deserialization. In order to be vulnerable to this attack, either the use of @JsonTypeInfouse =...