7 matches found
CVE-2026-54515
CVE-2026-54515 affects jackson-databind where, from 2.8.0 up to 2.18.9, 2.21.5 and 3.1.4, per-property @JsonIgnoreProperties exclusions are bypassed during a case-insensitive deserialization, making ignored properties writable again. The root cause is in BeanDeserializerBase.createContextual(), w...
CVE-2026-54513
CVE-2026-54513 affects jackson-databind. A vulnerability in BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allows bypass of per-element allowlists when deserializing arrays, if the array element type is not explicitly allowlisted, potentially enabling dangerous types like EvilType[...
CVE-2026-54512
jackson-databind contains a PolymorphicTypeValidator (PTV) bypass vulnerability. When polymorphic typing is enabled and the type ID includes generic parameters, DatabindContext._resolveAndValidateGeneric() validates only the raw container class name, then parses the full canonical type without va...
CVE-2026-54514
CVE-2026-54514 affects jackson-databind’s InetSocketAddress handling during deserialization. From 2.0.0 up to fixes in 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress(host, port), causing eager DNS resolution at readValue time and enabling an attacker to trigger...
CVE-2026-54518
The CVE-2026-54518 issue affects jackson-databind’s UnwrappedPropertyHandler path. From 2.21.0 through 2.21.4 and 3.1.0 through 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters without consulting prop.visibleInView(activeView). This...
CVE-2026-54516
The CVE-2026-54516 vulnerability affects jackson-databind where, from 2.21.0 through 2.21.4 and in 3.1.4, POJOPropertiesCollector._renameProperties() can rename a property annotated with @JsonProperty("renamed") on the getter while the setter is annotated with @JsonIgnore. When MapperFeature.INFE...
CVE-2026-54517
Summary: CVE-2026-54517 affects jackson-databind. In BeanDeserializer._deserializeUsingPropertyBased, the active-view filter was only applied to creator properties; the path for regular properties lacked a visibleInView check. This allowed setterless Collection/Map properties annotated with a res...