diff --git a/.trivyignore b/.trivyignore
index 210a8c807..ed6414894 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -36,3 +36,11 @@ CVE-2026-42577 exp:2026-09-11
 # libcrypto3 C library. No JNI or OpenSSL calls in source. Attack vector (malformed
 # PKCS#7/S/MIME parsing) is not reachable from this service. See: UID2-7279
 CVE-2026-45447 exp:2026-07-11
+
+# jackson-databind data-binding vulnerability - no upstream fix released yet (fix targets: 2.18.8, 2.21.4, 3.1.4)
+# jackson-databind is pulled in transitively via uid2-shared; the version fix is tracked in
+# uid2-shared (https://github.com/IABTechLab/uid2-shared/pull/631) and will flow here on the
+# next uid2-shared release. Suppressing in the interim.
+# See: UID2-7364
+CVE-2026-54512 exp:2026-07-25
+CVE-2026-54513 exp:2026-07-25