Visit NES for Jackson Home Page
Jackson Databind 2.15.x Release Notes
2 versions
Comprehensive release notes and changelog for Jackson Databind 2.15.x, including security patches, bug fixes, and feature updates across all supported versions.
July 2026
2.15.6
Released Jul 1, 2026 Full Version:
2.15.4-jackson-databind-2.15.6
Bug Fixes
This release patches the following:
- CVE-2026-54512: validate polymorphic generic type parameters
- CVE-2026-54513: validate array component subtype in BasicPolymorphicTypeValidator
- CVE-2026-54514: avoid eager DNS lookup in InetSocketAddress deserialization
- CVE-2026-54515: case-insensitive deserialization ignores per-property @JsonIgnoreProperties
- CVE-2026-54516: renamed @JsonIgnore'd setters can deserialize via private fields
- CVE-2026-54517: apply active @JsonView filter in property-based deserialization
Dependency Updates
- Jackson BOM (NES)
2.15.4-jackson-bom-2.15.6 - Jackson Annotations (NES)
2.15.4-jackson-annotations-2.15.6 - Jackson Core (NES)
2.15.4-jackson-core-2.15.6
2.15.5
Released Jul 1, 2026 Full Version:
2.15.4-jackson-databind-2.15.5
Notes
- This release originates from the open‑source jackson-databind project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.
Dependency Updates
- Jackson BOM (NES)
2.15.4-jackson-bom-2.15.5 - Jackson Annotations (NES)
2.15.4-jackson-annotations-2.15.5 - Jackson Core (NES)
2.15.4-jackson-core-2.15.5
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh