Deserialization in Swaldman C3p0

CVE-2026-55223

c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSour…

Vulnerability class: Insecure Deserialization

Affected products

Weakness classification (CWE)

References