Visit NES for Jackson Home Page

Jackson Databind 2.15.x Release Notes

2 versions

Comprehensive release notes and changelog for Jackson Databind 2.15.x, including security patches, bug fixes, and feature updates across all supported versions.

Jul 1, 2026
Latest: 2.15.6
19 Patched Vulnerabilities
VEX Statements

July 2026

Full Version:
2.15.4-jackson-databind-2.15.6

Bug Fixes

This release patches the following:

  • CVE-2026-54512: validate polymorphic generic type parameters
  • CVE-2026-54513: validate array component subtype in BasicPolymorphicTypeValidator
  • CVE-2026-54514: avoid eager DNS lookup in InetSocketAddress deserialization
  • CVE-2026-54515: case-insensitive deserialization ignores per-property @JsonIgnoreProperties
  • CVE-2026-54516: renamed @JsonIgnore'd setters can deserialize via private fields
  • CVE-2026-54517: apply active @JsonView filter in property-based deserialization

Dependency Updates

  • Jackson BOM (NES) 2.15.4-jackson-bom-2.15.6
  • Jackson Annotations (NES) 2.15.4-jackson-annotations-2.15.6
  • Jackson Core (NES) 2.15.4-jackson-core-2.15.6

2.15.5

Released Jul 1, 2026
Full Version:
2.15.4-jackson-databind-2.15.5

Notes

  • This release originates from the open‑source jackson-databind project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.

Dependency Updates

  • Jackson BOM (NES) 2.15.4-jackson-bom-2.15.5
  • Jackson Annotations (NES) 2.15.4-jackson-annotations-2.15.5
  • Jackson Core (NES) 2.15.4-jackson-core-2.15.5

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.