diff --git a/.trivyignore b/.trivyignore
index 95aa9b7d..034ca026 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -5,3 +5,8 @@
# jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API
# See: UID2-6670
GHSA-72hv-8253-57qq exp:2026-09-01
+
+# jackson-databind data-binding vulnerability - no upstream fix released yet (fix targets: 2.18.8, 2.21.4, 3.1.4)
+# See: UID2-7364
+CVE-2026-54512 exp:2026-07-25
+CVE-2026-54513 exp:2026-07-25
diff --git a/pom.xml b/pom.xml
index 27685223..692a4133 100644
--- a/pom.xml
+++ b/pom.xml
@@ -206,10 +206,15 @@
cbor
0.9
+
+ com.fasterxml.jackson.core
+ jackson-core
+ 2.19.0
+
com.fasterxml.jackson.core
jackson-databind
- 2.14.2
+ 2.19.0
org.projectlombok