Lucene search
K

3714 matches found

Tenable Nessus
Tenable Nessus
added 2026/06/24 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2026-50193

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential...

7.5CVSS6AI score0.00616EPSS
Exploits1References3
OSV
OSV
added 2026/06/23 10:16 p.m.5 views

DEBIAN-CVE-2026-54518

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults...

6.5CVSS5.9AI score0.00211EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 10:16 p.m.8 views

CVE-2026-54518

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults...

6.5CVSS0.00211EPSS
Exploits0References5
OSV
OSV
added 2026/06/23 10:16 p.m.4 views

UBUNTU-CVE-2026-54518

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults...

6.5CVSS5.9AI score0.00211EPSS
Exploits0References9
Snyk
Snyk
added 2026/06/23 9:24 p.m.6 views

Incorrect Authorization

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Incorrect Authorization in the...

5.3CVSS5.8AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:24 p.m.4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the BeanDeserializer.deserializeUsingPropertyBased method, whose property-buffering branch omits the prop.visibleInViewactiveView check that the creator-property branch performs. An attacker can populate...

5.3CVSS5.8AI score0.00237EPSS
Exploits0References2
OSV
OSV
added 2026/06/23 9:24 p.m.4 views

GHSA-9FXM-VC8V-HJ55 jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields

Summary POJOPropertiesCollector.renameProperties allows a property with @JsonProperty"renamed" on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFERPROPERTYMUTATORS enabled default, the private backing field is retained; during deserialization...

5.3CVSS5.9AI score0.00282EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/06/23 9:24 p.m.7 views

jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields

Summary POJOPropertiesCollector.renameProperties allows a property with @JsonProperty"renamed" on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFERPROPERTYMUTATORS enabled default, the private backing field is retained; during deserialization...

5.3CVSS5.9AI score0.00282EPSS
Exploits0References6Affected Software2
Snyk
Snyk
added 2026/06/23 9:24 p.m.6 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the POJOPropertiesCollector.renameProperties and BeanDeserializerFactory.addBeanProps methods, which rename rather than drop a property whose getter carri...

6.9CVSS6AI score0.00282EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:24 p.m.18 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object...

6.9CVSS6AI score0.00282EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/23 9:23 p.m.8 views

jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties

Summary In BeanDeserializerBase.createContextual, per-property @JsonIgnoreProperties exclusions are applied by handleByNameInclusion, producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block triggered by...

5.3CVSS5.8AI score0.00345EPSS
Exploits0References6Affected Software2
OSV
OSV
added 2026/06/23 9:23 p.m.5 views

GHSA-5JMJ-H7XM-6Q6V jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties

Summary In BeanDeserializerBase.createContextual, per-property @JsonIgnoreProperties exclusions are applied by handleByNameInclusion, producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block triggered by...

5.3CVSS5.8AI score0.00345EPSS
Exploits0References6
Snyk
Snyk
added 2026/06/23 9:23 p.m.4 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object...

6.9CVSS6AI score0.00345EPSS
Exploits0References2
OSV
OSV
added 2026/06/23 9:22 p.m.8 views

GHSA-HGJ6-7826-R7M5 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

Summary JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an...

5.3CVSS5.9AI score0.00219EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/23 9:22 p.m.8 views

jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

Summary JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an...

5.3CVSS5.9AI score0.00219EPSS
Exploits0References4Affected Software2
Snyk
Snyk
added 2026/06/23 9:22 p.m.6 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the JDKFromStringDeserializer class, which constructs InetSocketAddress and resolves the hostname through DNS at deserialization time. An attacker can force the server to issue outbound DNS lookups fo...

6.9CVSS5.8AI score0.00219EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:22 p.m.15 views

Server-side Request Forgery (SSRF)

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the JDKFromStringDeserializer class,...

6.9CVSS5.8AI score0.00219EPSS
Exploits0References2
OSV
OSV
added 2026/06/23 9:22 p.m.4 views

GHSA-RMJ7-2VXQ-3G9F jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)

Summary BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray allowlists any array type based only on clazz.isArray, without validating the array's component element type against the configured allowlist. A PTV built with allowIfSubTypeIsArray plus an explicit concrete-type allowlist...

8.1CVSS5.8AI score0.00677EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/06/23 9:22 p.m.17 views

jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)

Summary BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray allowlists any array type based only on clazz.isArray, without validating the array's component element type against the configured allowlist. A PTV built with allowIfSubTypeIsArray plus an explicit concrete-type allowlist...

8.1CVSS5.8AI score0.00677EPSS
Exploits0References7Affected Software2
Snyk
Snyk
added 2026/06/23 9:22 p.m.4 views

Incomplete List of Disallowed Inputs

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the...

9.2CVSS5.8AI score0.00677EPSS
Exploits0References2
Rows per page
Query Builder