cbcvebase.
CVE-2026-54517
published 2026-06-23

CVE-2026-54517: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in…

PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.24%
14.5th percentile
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.

Affected

67 ranges· showing 25
VendorProductVersion rangeFixed in
ansible-automation-platform-27de-minimal-rhel9
ansible-automation-platform-27de-supported-rhel9
candlepinprojectcandlepin
debiandogtag-pki
debianpuppetserver
devspacesmulticluster-redirector-rhel9
devspacesopenvsx-rhel9
devspacespluginregistry-rhel9
devspacesserver-rhel9
eap74-els-openjdk11-openshift-rhel8eap74-els-openjdk11-openshift-rhel8
eap74-els-openjdk17-openshift-rhel8eap74-els-openjdk17-openshift-rhel8
eap74-els-openjdk8-openshift-rhel8eap74-els-openjdk8-openshift-rhel8
fasterxmljackson-databind
fasterxmljackson-databind
fasterxmljackson-databind
fasterxmljackson-databind>= 2.21.0 < 2.21.42.21.4
fasterxmljackson-databind>= 3.0.0 < 3.1.43.1.4
jboss-eap-7eap74-els-openjdk17-openshift-rhel8
jboss-eap-7eap74-els-openjdk8-openshift-rhel8
jenkinsjenkins
ocp-tools-4jenkins-rhel8
ocp-tools-4jenkins-rhel9
offline-knowledge-portalrhokp-rhel9
openshift-serverless-1kn-ekb-dispatcher-rhel9
openshift-serverless-1kn-ekb-receiver-rhel9

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.