diff --git a/release-notes/VERSION b/release-notes/VERSION
index 9aa4767bc..b3ee657c7 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -51,6 +51,7 @@ One more patch release for 1.9.
 * [databind#2631]: Block one more gadget type (shaded-hikari-config, CVE-2020-9546)
 * [databind#2634]: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548)
 * [databind#2642]: Block one more gadget type (javax.swing, CVE-2020-10969)
+* [databind#2648]: Block one more gadget type (shiro-core)
 
 1.9.13 (14-Jul-2013)
 
diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
index 751e89989..d9a9df13d 100644
--- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
+++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -118,6 +118,9 @@ public class SubTypeValidator
         // [databind#2642]: javax.swing (jdk)
         s.add("javax.swing.JEditorPane");
 
+        // [databind#2648]: shire-core
+        s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }