FasterXML CVE Vulnerabilities & CVE List (86)

Products (CPE): — CVEs: 86

FasterXML vulnerability overview

Aggregates CVE and security vulnerability intelligence across all FasterXML-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.

Historical issues mainly involve vendor risk input validation, vendor risk path handling, vendor risk file inclusion, and vendor risk buffer overflow and related problems; some flaws may lead to vendor impact file overwrite.

Vulnerability distribution trend (last 24 months)

Showing 8186 of 86 CVEs
«« First « Prev Page 5 / 5 Next »
CVE Summary Source Max CVSS EPSS % Published Updated
CVE-2017-7525 A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. [email protected] 9.8 37.92% 2018-02-06 2026-06-16
CVE-2017-15095 A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. [email protected] 9.8 8.41% 2018-02-06 2026-06-16
CVE-2018-5968 FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. [email protected] 8.1 7.01% 2018-01-21 2026-06-16
CVE-2017-17485 FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. [email protected] 9.8 49.73% 2018-01-10 2026-06-16
CVE-2016-7051 XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD. [email protected] 8.6 2.36% 2017-04-14 2026-06-16
CVE-2016-3720 XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors. [email protected] 9.8 2.78% 2016-06-10 2026-06-16
«« First « Prev Page 5 / 5 Next »
cvelogic Threat Intelligence