CVE-2026-2742

An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without ...

CVE-2026-2742 Unauthorized session creation via reserved framework path access

An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without ...

Cross-site Scripting (XSS)

Vaadin Framework is vulnerable to a Cross-Site Scripting XSS. The vulnerability is due to action captions accepting unsanitized HTML content by default, which allows an attacker to inject and execute malicious scripts when user-controlled input is rendered in UI components...

CVE-2025-15022

Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting XSS if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed version...

Cross-site Scripting (XSS)

Overview com.vaadin:vaadin-server is a Java framework for modern Java web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the ContextMenuManager and Action classed, when handling Action captions. An attacker can cause scripts to be executed by injecti...

CVE-2025-15022

Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting XSS if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed version...

CVE-2025-15022 Cross-site scripting in Action caption

Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting XSS if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed version...

Cross-site scripting in Action caption

Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting XSS if caption content is derived from user input. See CWE-79 Improper Neutralization of Input During Web Page Generation Cross-site Scripting Description In Vaadin Framework 7 and 8...

EUVD-2021-0850

Malware in sbrugna...

Vaadin Framework possible file bypass via upload validation on the server-side

Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version...

Vaadin framework 安全漏洞

Vaadin framework is a software application . An application framework for efficiently building modern web applications in pure Java without having to deal with low-level web technologies. A security vulnerability exists in the Vaadin framework that allows an attacker to guess a security token via...

CA AWI 12.0 / 12.1 / 12.2 Cross Site Scripting

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Cross-site scripting product: CA Automic Workload Automation Web Interface AWI formerly Automic Automation Engine, UC4 vulnerable version: 12.0, 12.1, 12.2 fixed version:...

Vaadin Framework 7.7.6 - 7.7.9 Javascript Injection Vulnerability

Vaadin Framework is prone to a Javascript injection vulnerability. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:vaadin:vaadin"...

Vaadin 7.7.6 Cross Site Scripting

first time poster, so I'm not sure if this is the best venue, format, etc. https://github.com/vaadin/framework/issues/8731 using vaadin 7.7.6 using example https://vaadin.com/docs/-/part/framework/components/components-combobox.html but with malicious text that assumes humans are adding the plane...

Vaadin Framework 6.0.0 - 6.8.13 XSS Vulnerability

Vaadin Framework is prone to a cross-site scripting XSS vulnerability because the application fails to properly sanitize user-supplied input. SPDX-FileCopyrightText: 2015 SCHUTZWERK GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective rig...

Vaadin Framework 6.2.0 - 6.8.9, 7.0.0 - 7.0.3 Information Disclosure Vulnerability

Vaadin Framework is prone to an information disclosure vulnerability because the application fails to properly sanitize user-supplied input. SPDX-FileCopyrightText: 2015 SCHUTZWERK GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective righ...

Vaadin Framework 7.0.0 - 7.3.6 XSS Vulnerability

Vaadin Framework is prone to a cross-site scripting XSS vulnerability because the application fails to properly sanitize user-supplied input. SPDX-FileCopyrightText: 2015 SCHUTZWERK GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective rig...

Vaadin Framework Detection (HTTP)

HTTP based detection of Vaadin Framework. SPDX-FileCopyrightText: 2015 SCHUTZWERK GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later ifdescription...

Vaadin Framework < 6.6.7 / 6.7.0 Multiple Vulnerabilities

Vaadin Framework is prone to multiple cross-site scripting, information disclosure, and security bypass vulnerabilities because the application fails to properly sanitize user-supplied input. SPDX-FileCopyrightText: 2015 SCHUTZWERK GmbH Some text descriptions might be excerpted from a referenced...

Vaadin Framework 6.0.0 - 6.8.7 HTML Injection Vulnerability

Vaadin Framework is prone to a SPDX-FileCopyrightText: 2015 SCHUTZWERK GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later CPE = "cpe:/a:vaadin:vaadin"; ifdescription...