cbcvebase.
CVE-2026-54512
published 2026-06-23

CVE-2026-54512: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and…

PriorityP351high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.62%
45.1th percentile
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

Affected

69 ranges· showing 25
VendorProductVersion rangeFixed in
ansible-automation-platform-27de-minimal-rhel9
ansible-automation-platform-27de-supported-rhel9
candlepinprojectcandlepin
debiandogtag-pki
debianpuppetserver
devspacesmulticluster-redirector-rhel9
devspacesopenvsx-rhel9
devspacespluginregistry-rhel9
devspacesserver-rhel9
eap74-els-openjdk11-openshift-rhel8eap74-els-openjdk11-openshift-rhel8
eap74-els-openjdk17-openshift-rhel8eap74-els-openjdk17-openshift-rhel8
eap74-els-openjdk8-openshift-rhel8eap74-els-openjdk8-openshift-rhel8
fasterxmljackson-databind
fasterxmljackson-databind
fasterxmljackson-databind
fasterxmljackson-databind
fasterxmljackson-databind>= 2.10.0 < 2.18.82.18.8
fasterxmljackson-databind>= 2.19.0 < 2.21.42.21.4
fasterxmljackson-databind>= 3.0.0 < 3.1.43.1.4
jboss-eap-7eap74-els-openjdk17-openshift-rhel8
jboss-eap-7eap74-els-openjdk8-openshift-rhel8
jenkinsjenkins
ocp-tools-4jenkins-rhel8
ocp-tools-4jenkins-rhel9
offline-knowledge-portalrhokp-rhel9

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.