Lucene search
+L
FasterxmlJackson-databind3.0.0

7 matches found

CVE
CVE
added 2026/06/23 8:50 p.m.388 views

CVE-2026-54515

CVE-2026-54515 affects jackson-databind where, from 2.8.0 up to 2.18.9, 2.21.5 and 3.1.4, per-property @JsonIgnoreProperties exclusions are bypassed during a case-insensitive deserialization, making ignored properties writable again. The root cause is in BeanDeserializerBase.createContextual(), w...

5.3CVSS5.8AI score0.00345EPSS
CVE
CVE
added 2026/06/23 8:53 p.m.184 views

CVE-2026-54513

CVE-2026-54513 affects jackson-databind. A vulnerability in BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allows bypass of per-element allowlists when deserializing arrays, if the array element type is not explicitly allowlisted, potentially enabling dangerous types like EvilType[...

8.1CVSS5.8AI score0.00695EPSS
CVE
CVE
added 2026/06/23 8:56 p.m.150 views

CVE-2026-54512

jackson-databind contains a PolymorphicTypeValidator (PTV) bypass vulnerability. When polymorphic typing is enabled and the type ID includes generic parameters, DatabindContext._resolveAndValidateGeneric() validates only the raw container class name, then parses the full canonical type without va...

8.1CVSS5.8AI score0.00617EPSS
CVE
CVE
added 2026/06/23 8:51 p.m.148 views

CVE-2026-54514

CVE-2026-54514 affects jackson-databind’s InetSocketAddress handling during deserialization. From 2.0.0 up to fixes in 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress(host, port), causing eager DNS resolution at readValue time and enabling an attacker to trigger...

5.3CVSS5.9AI score0.00219EPSS
CVE
CVE
added 2026/06/23 9:2 p.m.86 views

CVE-2026-54518

The CVE-2026-54518 issue affects jackson-databind’s UnwrappedPropertyHandler path. From 2.21.0 through 2.21.4 and 3.1.0 through 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters without consulting prop.visibleInView(activeView). This...

6.5CVSS5.9AI score0.00211EPSS
CVE
CVE
added 2026/06/23 8:48 p.m.82 views

CVE-2026-54516

The CVE-2026-54516 vulnerability affects jackson-databind where, from 2.21.0 through 2.21.4 and in 3.1.4, POJOPropertiesCollector._renameProperties() can rename a property annotated with @JsonProperty("renamed") on the getter while the setter is annotated with @JsonIgnore. When MapperFeature.INFE...

5.3CVSS5.9AI score0.00282EPSS
CVE
CVE
added 2026/06/23 8:47 p.m.51 views

CVE-2026-54517

Summary: CVE-2026-54517 affects jackson-databind. In BeanDeserializer._deserializeUsingPropertyBased, the active-view filter was only applied to creator properties; the path for regular properties lacked a visibleInView check. This allowed setterless Collection/Map properties annotated with a res...

5.3CVSS5.9AI score0.00237EPSS