diff --git a/release-notes/VERSION b/release-notes/VERSION
index 64d8b684eb..1fa1cc1a87 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -7,8 +7,12 @@ Project: jackson-databind
 
 #2097: Block more classes from polymorphic deserialization (CVE-2018-14718
   - CVE-2018-14721)
+ (reported by Guixiong Wu)
 #2109: Canonical string for reference type is built incorrectly
  (reported by svarzee@github)
+#2186: Block more classes from polymorphic deserialization (CVE-2018-19360,
+  CVE-2018-19361, CVE-2018-19362)
+ (reported by Guixiong Wu)
 
 2.8.11.2 (08-Jun-2018)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index ca800c3f44..fc35c67d6e 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -76,6 +76,12 @@ public class SubTypeValidator
         s.add("com.sun.deploy.security.ruleset.DRSHelper");
         s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
 
+        // [databind#2186]: yet more 3rd party gadgets
+        s.add("org.jboss.util.propertyeditor.DocumentEditor");
+        s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
+        s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
+        s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }