Jackson Release 2.18.8

Patch version of 2.18, released on May 28, 2026.

Following fixes are included in this patch release.

Changes, core

Streaming

#1611: Apply number-length validator on streaming integer path of async parser

Databind

#5950: Improve UUIDDeserializer error handling
#5951: Improve InetSocketAddress deserialization [CVE-2026-54514]
#5969: @JsonView by-passed for some "setterless" creator properties [CVE-2026-54517]
#5971: @JsonView by-passed for unwrapped creator parameters [CVE-2026-54518]
#5974: @JsonIgnore on Record property ignored with PropertyNamingStrategy
#5981: BasicPolymorphicTypeValidator setting allowIfSubTypeIsArray() should validate element type [CVE-2026-54513]
#5988: PolymorphicTypeValidator needs to validate generic type parameters too [CVE-2026-54512]
#5993: UPPER_SNAKE_CASE / LOWER_CASE NamingStrategyImpls fold case using JVM default locale (Turkish-I bug)

Changes, data formats

Ion

#696: Incomplete number length validation in Ion decoder (for BigDecimal and/or BigInteger)

TOML

#679: Validate integer length for hex/octal/binary radix literals

XML

#863: Fix to support Woodstox 7.2.0 (but no dep version bump)

Uh oh!

Jackson Release 2.18.8

Changes, core

Streaming

Databind

Changes, data formats

Ion

TOML

XML

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!