Vulnerability-Lookup

CVE-2026-54514 (GCVE-0-2026-54514)

Vulnerability from cvelistv5 – Published: 2026-06-23 20:51 – Updated: 2026-06-25 12:59

Title

jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

Summary

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/FasterXML/jackson-databind/sec…	x_refsource_CONFIRM
https://github.com/FasterXML/jackson-databind/pull/5951	x_refsource_MISC
https://github.com/FasterXML/jackson-databind/com…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
FasterXML	jackson-databind	Affected: >= 2.0.0, < 2.18.8 Affected: >= 2.19.0, < 2.21.4 Affected: >= 3.0.0, < 3.1.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54514",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T12:59:31.298188Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T12:59:39.055Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jackson-databind",
          "vendor": "FasterXML",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.18.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.19.0, \u003c 2.21.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.1.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T20:52:38.568Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/pull/5951",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/pull/5951"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4"
        }
      ],
      "source": {
        "advisory": "GHSA-hgj6-7826-r7m5",
        "discovery": "UNKNOWN"
      },
      "title": "jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54514",
    "datePublished": "2026-06-23T20:51:50.612Z",
    "dateReserved": "2026-06-15T18:01:15.514Z",
    "dateUpdated": "2026-06-25T12:59:39.055Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-54514",
      "date": "2026-06-29",
      "epss": "0.00219",
      "percentile": "0.12276"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-54514\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-23T21:17:02.467\",\"lastModified\":\"2026-06-27T20:55:09.610\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"FasterXML\",\"product\":\"jackson-databind\",\"versions\":[{\"version\":\"\u003e= 2.0.0, \u003c 2.18.8\",\"status\":\"affected\"},{\"version\":\"\u003e= 2.19.0, \u003c 2.21.4\",\"status\":\"affected\"},{\"version\":\"\u003e= 3.0.0, \u003c 3.1.4\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-25T12:59:31.298188Z\",\"id\":\"CVE-2026-54514\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.18.8\",\"matchCriteriaId\":\"F2F45F92-21A6-4F21-B90C-FE73B2FA65B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.19.0\",\"versionEndExcluding\":\"2.21.4\",\"matchCriteriaId\":\"59601D96-4AB4-4B53-8DEC-305A6D442E6E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.1.4\",\"matchCriteriaId\":\"5C0F99DE-1DB7-4873-83F9-6CEF8E91F33C\"}]}]}],\"references\":[{\"url\":\"https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/pull/5951\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-54514\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-25T12:59:31.298188Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-25T12:59:35.285Z\"}}], \"cna\": {\"title\": \"jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)\", \"source\": {\"advisory\": \"GHSA-hgj6-7826-r7m5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"FasterXML\", \"product\": \"jackson-databind\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.18.8\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.19.0, \u003c 2.21.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 3.1.4\"}]}], \"references\": [{\"url\": \"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5\", \"name\": \"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/pull/5951\", \"name\": \"https://github.com/FasterXML/jackson-databind/pull/5951\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4\", \"name\": \"https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-23T20:52:38.568Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-54514\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-25T12:59:39.055Z\", \"dateReserved\": \"2026-06-15T18:01:15.514Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-23T20:51:50.612Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-HGJ6-7826-R7M5

Vulnerability from github – Published: 2026-06-23 21:22 – Updated: 2026-06-23 21:22

Summary

jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

Details

Summary

JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect.

Impact

An attacker controlling JSON deserialized into an InetSocketAddress-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.

Affected / Patched (verified via `git tag --contains` on `1f5a103`)

2.18 line: >= 2.18.0, < 2.18.8 -> fixed in 2.18.8
2.19-2.21 line: >= 2.19.0, < 2.21.4 -> fixed in 2.21.4
3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4

Severity / CWE

Maintainer: minor. Reporter: LOW. CWE-918 (SSRF).

Upstream fix

FasterXML/jackson-databind#5951 ("Improve InetSocketAddress deserialization"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.

Credits

Omkhar Arasaratnam (@omkhar) - finder.

Severity

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.18.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.19.0"
            },
            {
              "fixed": "2.21.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "tools.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.19.0"
            },
            {
              "fixed": "2.21.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "tools.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54514"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T21:22:54Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n`JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAddress` field issues an attacker-chosen DNS query during `readValue`, before any application-level validation or connect logic. The fix uses `InetSocketAddress.createUnresolved(host, port)`, deferring DNS to an explicit connect.\n\n## Impact\nAn attacker controlling JSON deserialized into an `InetSocketAddress`-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.\n\n## Affected / Patched (verified via `git tag --contains` on `1f5a103`)\n- 2.18 line: `\u003e= 2.18.0, \u003c 2.18.8` -\u003e fixed in **2.18.8**\n- 2.19-2.21 line: `\u003e= 2.19.0, \u003c 2.21.4` -\u003e fixed in **2.21.4**\n- 3.x line: `\u003e= 3.0.0, \u003c 3.1.4` -\u003e fixed in **3.1.4**\n\n## Severity / CWE\nMaintainer: minor. Reporter: LOW. CWE-918 (SSRF).\n\n## Upstream fix\nFasterXML/jackson-databind#5951 (\"Improve InetSocketAddress deserialization\"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.\n\n## Credits\nOmkhar Arasaratnam (@omkhar) - finder.",
  "id": "GHSA-hgj6-7826-r7m5",
  "modified": "2026-06-23T21:22:54Z",
  "published": "2026-06-23T21:22:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/pull/5951"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FasterXML/jackson-databind"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)"
}

OPENSUSE-SU-2026:11118-1

Vulnerability from csaf_opensuse - Published: 2026-06-25 00:00 - Updated: 2026-06-25 00:00

Summary

jackson-databind-2.18.8-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: jackson-databind-2.18.8-1.1 on GA media

Description of the patch: These are all security issues fixed in the jackson-databind-2.18.8-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-11118

CVE-2026-54513

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-54514

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-54515

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

11 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-54513/	self
https://www.suse.com/security/cve/CVE-2026-54514/	self
https://www.suse.com/security/cve/CVE-2026-54515/	self
https://www.suse.com/security/cve/CVE-2026-54513	external
https://bugzilla.suse.com/1268898	external
https://www.suse.com/security/cve/CVE-2026-54514	external
https://bugzilla.suse.com/1268899	external
https://www.suse.com/security/cve/CVE-2026-54515	external
https://bugzilla.suse.com/1268902	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "jackson-databind-2.18.8-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the jackson-databind-2.18.8-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-11118",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11118-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-54513 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-54513/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-54514 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-54514/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-54515 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-54515/"
      }
    ],
    "title": "jackson-databind-2.18.8-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-06-25T00:00:00Z",
      "generator": {
        "date": "2026-06-25T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:11118-1",
      "initial_release_date": "2026-06-25T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-06-25T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-databind-2.18.8-1.1.aarch64",
                "product": {
                  "name": "jackson-databind-2.18.8-1.1.aarch64",
                  "product_id": "jackson-databind-2.18.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-databind-javadoc-2.18.8-1.1.aarch64",
                "product": {
                  "name": "jackson-databind-javadoc-2.18.8-1.1.aarch64",
                  "product_id": "jackson-databind-javadoc-2.18.8-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-databind-2.18.8-1.1.ppc64le",
                "product": {
                  "name": "jackson-databind-2.18.8-1.1.ppc64le",
                  "product_id": "jackson-databind-2.18.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-databind-javadoc-2.18.8-1.1.ppc64le",
                "product": {
                  "name": "jackson-databind-javadoc-2.18.8-1.1.ppc64le",
                  "product_id": "jackson-databind-javadoc-2.18.8-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-databind-2.18.8-1.1.s390x",
                "product": {
                  "name": "jackson-databind-2.18.8-1.1.s390x",
                  "product_id": "jackson-databind-2.18.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-databind-javadoc-2.18.8-1.1.s390x",
                "product": {
                  "name": "jackson-databind-javadoc-2.18.8-1.1.s390x",
                  "product_id": "jackson-databind-javadoc-2.18.8-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-databind-2.18.8-1.1.x86_64",
                "product": {
                  "name": "jackson-databind-2.18.8-1.1.x86_64",
                  "product_id": "jackson-databind-2.18.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-databind-javadoc-2.18.8-1.1.x86_64",
                "product": {
                  "name": "jackson-databind-javadoc-2.18.8-1.1.x86_64",
                  "product_id": "jackson-databind-javadoc-2.18.8-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-2.18.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64"
        },
        "product_reference": "jackson-databind-2.18.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-2.18.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le"
        },
        "product_reference": "jackson-databind-2.18.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-2.18.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x"
        },
        "product_reference": "jackson-databind-2.18.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-2.18.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64"
        },
        "product_reference": "jackson-databind-2.18.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-javadoc-2.18.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64"
        },
        "product_reference": "jackson-databind-javadoc-2.18.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-javadoc-2.18.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le"
        },
        "product_reference": "jackson-databind-javadoc-2.18.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-javadoc-2.18.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x"
        },
        "product_reference": "jackson-databind-javadoc-2.18.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-javadoc-2.18.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
        },
        "product_reference": "jackson-databind-javadoc-2.18.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-54513",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-54513"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array\u0027s component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-54513",
          "url": "https://www.suse.com/security/cve/CVE-2026-54513"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268898 for CVE-2026-54513",
          "url": "https://bugzilla.suse.com/1268898"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-25T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-54513"
    },
    {
      "cve": "CVE-2026-54514",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-54514"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-54514",
          "url": "https://www.suse.com/security/cve/CVE-2026-54514"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268899 for CVE-2026-54514",
          "url": "https://bugzilla.suse.com/1268899"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-25T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-54514"
    },
    {
      "cve": "CVE-2026-54515",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-54515"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map - restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-54515",
          "url": "https://www.suse.com/security/cve/CVE-2026-54515"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268902 for CVE-2026-54515",
          "url": "https://bugzilla.suse.com/1268902"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-25T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-54515"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-54514 (GCVE-0-2026-54514)

GHSA-HGJ6-7826-R7M5

Summary

Impact

Affected / Patched (verified via git tag --contains on 1f5a103)

Severity / CWE

Upstream fix

Credits

OPENSUSE-SU-2026:11118-1

Tags

Sightings

Nomenclature

Affected / Patched (verified via `git tag --contains` on `1f5a103`)