cbcvebase.
CVE-2026-54518
published 2026-06-23

CVE-2026-54518: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4…

PriorityP338medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.21%
11.3th percentile
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4.

Affected

67 ranges· showing 25
VendorProductVersion rangeFixed in
ansible-automation-platform-27de-minimal-rhel9
ansible-automation-platform-27de-supported-rhel9
candlepinprojectcandlepin
debiandogtag-pki
debianpuppetserver
devspacesmulticluster-redirector-rhel9
devspacesopenvsx-rhel9
devspacespluginregistry-rhel9
devspacesserver-rhel9
eap74-els-openjdk11-openshift-rhel8eap74-els-openjdk11-openshift-rhel8
eap74-els-openjdk17-openshift-rhel8eap74-els-openjdk17-openshift-rhel8
eap74-els-openjdk8-openshift-rhel8eap74-els-openjdk8-openshift-rhel8
fasterxmljackson-databind
fasterxmljackson-databind
fasterxmljackson-databind
fasterxmljackson-databind>= 2.21.0 < 2.21.42.21.4
fasterxmljackson-databind>= 3.0.0 < 3.1.43.1.4
jboss-eap-7eap74-els-openjdk17-openshift-rhel8
jboss-eap-7eap74-els-openjdk8-openshift-rhel8
jenkinsjenkins
ocp-tools-4jenkins-rhel8
ocp-tools-4jenkins-rhel9
offline-knowledge-portalrhokp-rhel9
openshift-serverless-1kn-ekb-dispatcher-rhel9
openshift-serverless-1kn-ekb-receiver-rhel9

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.