Skip to main content
Components
Vulnerabilities
Pricing
MCP
API
Docs
Sign up
Login
Find vulnerabilities. Fix fast with AI.
Search components by package, version, or CVE to get started.
org.apache.pulsar/pulsar-client-all 4.2.3… | Sonatype Guide
Get full component data and automated fixes with Sonatype Guide.
Sign up for free
maven
org.apache.pulsar
pulsar-client-all
4.2.3
pulsar-client-all 4.2.3
Latest
org.apache.pulsar
Published
Jul 3, 2026
•
Policy
compliance
maven Registry
Developer Trust Score
Recommended Version:
x.y.z
Recommended upgrade that meets your policy.
Compare Versions
Overview
Overview
Versions
100
Versions
100
Vulnerabilities
6
Vulnerabilities
6
Dependencies
15
Dependencies
15
Severity
Critical
(0)
High
(0)
Medium
(6)
Low
(0)
CVSS Score
0.0
10.0
EPSS Score
0.0
1.0
Malware
KEV Status
Published
Filter
Sort: Published (Newest first)
6.9
sonatype-2026-004744
jackson-databind - @JsonView bypass via external-type-id creator path
affected
Severity
Medium
Published
Jul 13, 2026
6.3
CVE-2026-59889
Jackson Databind - Authorization bypass on JsonView Setter/Field
affected
Severity
Medium
Published
Jul 8, 2026
6.9
CVE-2026-54515
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
affected
Severity
Medium
Published
Jun 16, 2026
6.9
CVE-2026-54518
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4.
affected
Severity
Medium
Published
Jun 16, 2026
6.3
CVE-2024-53990
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests.
affected
Severity
Medium
Published
Dec 3, 2024
6.5
sonatype-2020-0026
netty-handler - Improper Certificate Validation [ formerly CVE-2023-4586 ]
affected
Severity
Medium
Published
Feb 4, 2020