{"vulnerability": "cve-2026-54513", "sightings": [{"uuid": "ea023d80-d15e-4eeb-8580-d8d61ec6e8fe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54513", "type": "seen", "source": "https://bsky.app/profile/suriq.io/post/3moyfja6qza2l", "content": "The safety check you added to keep Java's JSON parser safe has a hole.\n\nJackson's allowlist never checks array contents, so a banned class hidden in an array gets built. (CVE-2026-54513)\n\nFix: jackson-databind 2.18.8 / 2.21.4 / 3.1.4.", "creation_timestamp": "2026-06-23T21:59:11.504088Z"}, {"uuid": "063c27bb-f921-49de-8970-73b75218e36a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54513", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3moym72ggiz2y", "content": "CVE-2026-54513 - jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)\nCVE ID : CVE-2026-54513\n \n Published : June 23, 2026, 8:53 p.m. | 2\u00a0hours, 50\u00a0minutes ago\n \n Description : jackson-databind contains the general-purpose d...", "creation_timestamp": "2026-06-23T23:58:45.357702Z"}]}