jackson-databind is vulnerable to remote code execution (RCE) attacks. Due to an incomplete fix for `CVE-2017-7525`, attackers can still send malicious code through JSON.