Issued at: 2026-07-17
Updated at: 2026-07-17
Synopsis
Important: jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base security update
Description
The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.
Security Fix(es):
* jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution (CVE-2026-54513)
* jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass (CVE-2026-54512)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.