- CVE ID
- sonatype-2026-004744
- CWE
- N/A
- CVE Description
- jackson-databind - @JsonView bypass via external-type-id creator path
- Published
- Jul 13, 2026
- CVSS Score & Severity
6.9Medium
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
- EPSS Score
- 0%
- KEV Status
Not in KEV Catalog: No known exploits
- Vulnerable Methods
com/fasterxml/jackson/databind/deser/BeanDeserializer.deserializeUsingPropertyBasedWithExternalTypeId(Lcom/fasterxml/jackson/core/JsonParser;Lcom/fasterxml/jackson/databind/DeserializationContext;)Ljava/lang/Object;JVM
tools/jackson/databind/deser/bean/BeanDeserializer.deserializeUsingPropertyBasedWithExternalTypeId(Ltools/jackson/core/JsonParser;Ltools/jackson/databind/DeserializationContext;)Ljava/lang/Object;JVM
- Source
- Sonatype