{"vulnerability": "cve-2026-5451", "sightings": [{"uuid": "3f937ff6-0d03-48b6-9391-52764c61eb73", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-54512", "type": "published-proof-of-concept", "source": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm", "content": "", "creation_timestamp": "2026-06-16T01:10:42.000000Z"}, {"uuid": "ea023d80-d15e-4eeb-8580-d8d61ec6e8fe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54513", "type": "seen", "source": "https://bsky.app/profile/suriq.io/post/3moyfja6qza2l", "content": "The safety check you added to keep Java's JSON parser safe has a hole.\n\nJackson's allowlist never checks array contents, so a banned class hidden in an array gets built. (CVE-2026-54513)\n\nFix: jackson-databind 2.18.8 / 2.21.4 / 3.1.4.", "creation_timestamp": "2026-06-23T21:59:11.504088Z"}, {"uuid": "66b5df75-2164-4eb3-b666-4de16b10ceec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54516", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3moym3osjcc2s", "content": "CVE-2026-54516 - jackson-databind: Renamed @JsonIgnore'd setters can deserialize via private fields\nCVE ID : CVE-2026-54516\n \n Published : June 23, 2026, 8:48 p.m. | 2\u00a0hours, 55\u00a0minutes ago\n \n Description : jackson-databind contains the general-purpose data-binding functionali...", "creation_timestamp": "2026-06-23T23:56:52.489295Z"}, {"uuid": "063c27bb-f921-49de-8970-73b75218e36a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54513", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3moym72ggiz2y", "content": "CVE-2026-54513 - jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)\nCVE ID : CVE-2026-54513\n \n Published : June 23, 2026, 8:53 p.m. | 2\u00a0hours, 50\u00a0minutes ago\n \n Description : jackson-databind contains the general-purpose d...", "creation_timestamp": "2026-06-23T23:58:45.357702Z"}, {"uuid": "cb5f1737-86ed-4b1f-a6d9-b0ed3fbfc9aa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54518", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3moymgidgrg2f", "content": "CVE-2026-54518 - jackson-databind: @JsonView bypass for unwrapped creator parameters in jackson-databind\nCVE ID : CVE-2026-54518\n \n Published : June 23, 2026, 9:02 p.m. | 2\u00a0hours, 42\u00a0minutes ago\n \n Description : jackson-databind contains the general-purpose data-binding functi...", "creation_timestamp": "2026-06-24T00:02:54.926216Z"}, {"uuid": "34f27d2d-6275-42f0-8f5e-54a0ef5b3446", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54512", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3moymp44sqy23", "content": "CVE-2026-54512 - jackson-databind: PolymorphicTypeValidator bypass via generic type parameters allows arbitrary class instantiation\nCVE ID : CVE-2026-54512\n \n Published : June 23, 2026, 8:56 p.m. | 2\u00a0hours, 47\u00a0minutes ago\n \n Description : jackson-databind contains the general-...", "creation_timestamp": "2026-06-24T00:07:43.953015Z"}, {"uuid": "720b4f3e-6684-4cb9-bf59-6fe7677c8a6a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54514", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3moynnqc2bg23", "content": "CVE-2026-54514 - jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)\nCVE ID : CVE-2026-54514\n \n Published : June 23, 2026, 8:51 p.m. | 2\u00a0hours, 52\u00a0minutes ago\n \n Description : jackson-databind contains the general-purpose data-binding funct...", "creation_timestamp": "2026-06-24T00:24:52.146667Z"}, {"uuid": "679951c6-fa99-4ccc-a2cb-bdd3aee37202", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54515", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3moyoilsxlk2y", "content": "CVE-2026-54515 - jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnoreProperties\nCVE ID : CVE-2026-54515\n \n Published : June 23, 2026, 8:50 p.m. | 2\u00a0hours, 53\u00a0minutes ago\n \n Description : jackson-databind contains the general-purpose data-binding...", "creation_timestamp": "2026-06-24T00:39:54.785881Z"}]}