Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Thu, 16 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Fasterxml
Fasterxml jackson-databind |
|
| Vendors & Products |
Fasterxml
Fasterxml jackson-databind |
Tue, 14 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.18.0 until 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1, UnwrappedPropertyHandler.processUnwrapped() replays buffered JSON for a @JsonUnwrapped property and calls prop.deserializeAndSet() without a prop.visibleInView(ctxt.getActiveView()) guard, allowing a property annotated with both @JsonView and @JsonUnwrapped to be written from attacker JSON under a less-privileged active view. This issue is fixed in versions 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1. | |
| Title | jackson-databind: @JsonView ypassed for @JsonUnwrapped container properties on deserialization | |
| Weaknesses | CWE-863 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T14:50:17.517Z
Reserved: 2026-07-07T16:40:07.983Z
Link: CVE-2026-59889
Updated: 2026-07-16T14:50:10.109Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T02:15:05Z