Maven/tools.jackson.core:jackson-databind

HIGH8.1CVE-2026-54513jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)

>= 3.0.0, < 3.1.4

HIGH8.1CVE-2026-54512jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation

>= 3.0.0, < 3.1.4

MEDIUM6.5CVE-2026-54518jackson-databind has a @JsonView bypass for unwrapped creator parameters

>= 3.0.0, < 3.1.4

MEDIUM5.3jackson-databind has @JsonView bypass for setterless creator properties

>= 3.0.0, < 3.1.4

MEDIUM5.3jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields

>= 3.0.0, < 3.1.4

MEDIUM5.3jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties

>= 3.1.0, < 3.1.4

MEDIUM5.3jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

>= 2.19.0, < 2.21.4

pkg:Maven/tools.jackson.core:jackson-databind