CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2 days ago•3 views

CVE-2026-48028

6.5CVSS0.00124EPSS

Cvelist•added 2 days ago•14 views

CVE-2026-48028 Mastodon: Removal of integrity-protected JSON entries from signed activities

6.5CVSS0.00124EPSS

CVE•added 2 days ago•8 views

CVE-2026-46349

CVE-2026-46349 affects Mastodon before versions 4.5.10, 4.4.17, and 4.3.23. The issue arises from Mastodon’s normalization of incoming activities signed with Linked-Data Signatures, which does not sufficiently prevent a class of spoofing. An attacker could re-arrange a valid signed JSON-LD activi...

5.3CVSS5.9AI score0.00162EPSS

CVE•added 2 days ago•6 views

CVE-2026-56269

Flowise before 3.1.0 (npm package flowise;

4.6CVSS5.8AI score0.00093EPSS

Exploits0References2

Cvelist•added 2 days ago•30 views

CVE-2026-56269 Flowise - Weak Default Token Hash Secret in JWT Token Encryption

Flowise before 3.1.0 npm package flowise, versions 3.0.13 and earlier uses a weak hardcoded default value 'Secre$t' for the TOKENHASHSECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key...

4.6CVSS0.00093EPSS

Exploits0References2

OSV•added 2 days ago•5 views

ROOT-OS-DEBIAN-11-CVE-2024-42230 CVE-2024-42230 in rootio-linux - Patched by Root

Root has patched CVE-2024-42230 in the rootio-linux package for Root:Debian:11. Multiple fixed versions available...

4.4CVSS6.8AI score0.00205EPSS

Exploits0

Github Security Blog•added 3 days ago•7 views

jackson-databind has @JsonView bypass for setterless creator properties

Summary In BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInViewactiveView check. A change making SetterlessProperty.isMerging return true routed setterless...

5.3CVSS5.8AI score0.0024EPSS

Exploits0References6Affected Software2

5.3CVSS5.8AI score0.0024EPSS

GHSA-5HH8-Q8HV-FR38 jackson-databind has @JsonView bypass for setterless creator properties

Exploits0References6

Github Security Blog•added 3 days ago•6 views

jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields

Summary POJOPropertiesCollector.renameProperties allows a property with @JsonProperty"renamed" on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFERPROPERTYMUTATORS enabled default, the private backing field is retained; during deserialization...

5.3CVSS5.9AI score0.00286EPSS

Exploits0References6Affected Software2

Github Security Blog•added 3 days ago•7 views

jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()

Impact Potential Denial-of-Service when attacker sends deeply nested JSON if and only if service: 1. Reads deeply nested 1000s of levels JSON as JsonNode ObjectMapper.readTree 2. Writes out same or modifided node using JsonNode.toString which can consume significant amount of resources with...

6.3CVSS5.8AI score0.00507EPSS

Exploits0References4Affected Software1

OSV•added 3 days ago•4 views

DEBIAN-CVE-2026-54514

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution fo...

5.3CVSS5.9AI score0.00229EPSS

NVD•added 3 days ago•5 views

CVE-2026-54516

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector.renameProperties allows a property with @JsonProperty"renamed" on the getter and @JsonIgnore on the setter to be renamed...

5.3CVSS0.00286EPSS

6.3CVSS5.8AI score0.00507EPSS

DEBIAN-CVE-2026-50193

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if and only if the service reads deeply nested 1000s of levels JSON as JsonNode...

NVD•added 3 days ago•6 views

CVE-2026-50193

6.3CVSS0.00507EPSS

Exploits0References3

OSV•added 3 days ago•3 views

UBUNTU-CVE-2026-50193

6.3CVSS5.8AI score0.00507EPSS

5.3CVSS5.8AI score0.0024EPSS

UBUNTU-CVE-2026-54517

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular...

Exploits0References9

5.3CVSS5.9AI score0.00286EPSS

UBUNTU-CVE-2026-54516

Exploits0References9

CVE•added 3 days ago•9 views

CVE-2026-54518

The CVE-2026-54518 issue affects jackson-databind’s UnwrappedPropertyHandler path. From 2.21.0 through 2.21.4 and 3.1.0 through 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters without consulting prop.visibleInView(activeView). This...

6.5CVSS5.9AI score0.00225EPSS

EUVD•added 3 days ago•6 views

EUVD-2026-38629

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults...

6.5CVSS5.9AI score0.00225EPSS