Jackson-databind
This hub aggregates every CVE we track for Jackson-databind, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
79
CVEs tracked
26
Critical
44
High
0
In CISA KEV
Severity distribution
HIGH44CRITICAL26MEDIUM9
Monthly trend
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
8
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Jackson-databind.
- CVE-2026-54518jackson-databind: @JsonView bypass for unwrapped creator parameters in jackson-databind6.5
- CVE-2026-50193jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()7.5
- CVE-2026-54512jackson-databind: PolymorphicTypeValidator bypass via generic type parameters allows arbitrary class instantiation8.1
- CVE-2026-54513jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)8.1
- CVE-2026-54514jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)5.3
- CVE-2026-54515jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnoreProperties5.3
- CVE-2026-54516jackson-databind: Renamed @JsonIgnore'd setters can deserialize via private fields5.3
- CVE-2026-54517jackson-databind: @JsonView bypass for setterless creator properties5.3
- CVE-2023-35116jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that ...4.7
- CVE-2021-46877jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving Jso...7.5
- CVE-2020-10650A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.j...8.1
- CVE-2022-42003In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting...7.5
- CVE-2022-42004In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An applicat...7.5
- CVE-2020-36518jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.7.5
- CVE-2021-20190A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidenti...8.1
Product normalization is registry-driven with AI assist and human review. How it works