CVE-2026-7860

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials...

CVE-2026-7860 Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials...

CVE-2026-7860

CVE-2026-7860 describes an information-disclosure risk in Vaadin build tools: Vaadin Maven/Gradle plugins can print the full set of environment variables to build logs when a frontend build fails (non-zero exit). This can expose credentials/secrets in CI logs and artifacts. Affected ranges and fi...

PT-2026-41882

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials...

This Week in Spring - April 28th, 2026

Hi Spring fans! Welcome to another installment of This Week in Spring! As I write this, I'm on PTO in beautiful Santorini, Greece, catching up on some news and about to cruise the islands for some sightseeing. There's nothing quite like springtime in the Mediterranean! I couldn't dream of enjoyin...

dev.dsf:dsf-maven-plugin (>=2.0.0 <=2.1.0) potentially affected by CVE-2026-40942 via dev.dsf:dsf-bpe-process-api-v2 (>=2.0.0-M3 <=2.1.0)

dev.dsf:dsf-bpe-process-api-v2 MAVEN version =2.0.0-M3, =2.0.0, =2.1.0 Source cves: CVE-2026-40942 Source advisory: OSV:GHSA-XMJ9-7625-F634...

com.espertech:esperio-springjms (=9.0.0), org.apache.activemq.tooling:activemq-maven-plugin (>=6.0.0 <=6.2.3) +5 more potentially affected by CVE-2026-39304 via org.apache.activemq:activemq-all (>=6.0.0 <=6.2.3)

org.apache.activemq:activemq-all MAVEN version =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.3 Source cves: CVE-2026-39304 Source advisory: OSV:GHSA-5568-6QCG-G7FX...

com.espertech:esperio-springjms (=9.0.0), org.apache.activemq.tooling:activemq-maven-plugin (>=6.0.0 <=6.2.3) +5 more potentially affected by CVE-2025-66168 +1 more via org.apache.activemq:activemq-all (>=6.0.0 <=6.2.3)

org.apache.activemq:activemq-all MAVEN version =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.3 Source cves: CVE-2025-66168, CVE-2026-40046 Source advisory: OSV:GHSA-XVQC-PP94-FMPX...

com.espertech:esperio-springjms (=9.0.0), org.apache.activemq.tooling:activemq-maven-plugin (>=6.0.0 <=6.2.1) +5 more potentially affected by CVE-2026-33227 via org.apache.activemq:activemq-all (>=6.0.0 <=6.2.1)

org.apache.activemq:activemq-all MAVEN version =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.1 Source cves: CVE-2026-33227 Source advisory: OSV:GHSA-H2H4-5M64-M273...

com.espertech:esperio-springjms (=9.0.0), org.apache.activemq.tooling:activemq-maven-plugin (>=6.0.0 <=6.2.2) +5 more potentially affected by CVE-2026-34197 via org.apache.activemq:activemq-all (>=6.0.0 <=6.2.2)

org.apache.activemq:activemq-all MAVEN version =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.2 Source cves: CVE-2026-34197 Source advisory: OSV:GHSA-RXPJ-7QVF-XV32...

org.webjars.npm:directory-encoder (=0.9.2), org.webjars.npm:engine-handlebars (=0.8.2) +8 more potentially affected by CVE-2026-33939 via org.webjars.npm:handlebars (>=4.0.14 <=4.7.8)

org.webjars.npm:handlebars MAVEN version =4.0.14, =1.5.0, =1.31.0, =1.37.0, =2.0.0, =2.0.0, =2.1.0, =2.1.1 Source cves: CVE-2026-33939 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15807043...

org.webjars.npm:directory-encoder (=0.9.2), org.webjars.npm:engine-handlebars (=0.8.2) +8 more potentially affected by CVE-2026-33938 via org.webjars.npm:handlebars (>=4.0.14 <=4.7.8)

org.webjars.npm:handlebars MAVEN version =4.0.14, =1.5.0, =1.31.0, =1.37.0, =2.0.0, =2.0.0, =2.1.0, =2.1.1 Source cves: CVE-2026-33938 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15803083...

com.github.searls:jasmine-maven-plugin (>=3.0-alpha-01 <=3.0-beta-02), org.webjars.npm:accord (>=0.28.0 <=0.29.0) +177 more potentially affected by CVE-2026-33750 via org.webjars.npm:brace-expansion (=1.1.12)

org.webjars.npm:brace-expansion MAVEN version =1.1.12 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:brace-expansion and may be impacted: - com.github.searls:jasmine-maven-plugin =3.0-alpha-01, =0.28.0, =2.15.2, =12.1.0, =1.3.0, =0.3.0...

at.ganzleicht.vaadin:vaadin-maven-plugin (>=9.1.1 <=9.1.3.2), au.com.acegi:xml-format-maven-plugin (>=4.0.1 <=4.1.0) +1991 more potentially affected by CVE-2025-67030 via org.codehaus.plexus:plexus-utils (>=4.0.0 <=4.0.2)

org.codehaus.plexus:plexus-utils MAVEN version =4.0.0, =9.1.1, =4.0.1, =0.0.1, =0.0.9, =0.4.0, =0.0.0, =1.9.2, =1.0.0-M5, =1.0.0-M6, =1.0.0-M1, =0.0.3, =0.0.3, =0.0.3, =0.0.3, =1.0.0-M10 and more Source cves: CVE-2025-67030 Source advisory: OSV:GHSA-6FMV-XXPF-W3CW...

ch.acanda.maven:code-analysis-maven-plugin (>=1.6.0 <=1.27.0), com.jpinpoint.sonar:sonar-pmd-jpinpoint (>=2.0.0 <=2.1.1) +116 more potentially affected by CVE-2026-28338 via net.sourceforge.pmd:pmd-core (>=7.0.0-rc1 <=7.21.0)

net.sourceforge.pmd:pmd-core MAVEN version =7.0.0-rc1, =1.6.0, =2.0.0, =0.25.1, =0.25.1, =1.0.0, =0.5.6, =0.5.41, =12.2.0, =3.31.0, =0.7.0, =0.67.2, =0.67.2, =2.0.0, =0.1.0, =0.1.19 and more Source cves: CVE-2026-28338 Source advisory: SNYK:JAVA-NETSOURCEFORGEPMD-15365925...

This Week in Spring - February 17th, 2026

Hi, Spring fans! Welcome to another rip-roaring installment of This Week in Spring! It's Lunar New Year or Chinese New Year for billions of people around the world and to those who celebrate, Happy Chinese/Lunar New Year 新年快乐! Or Happy Spring Festival 春节快乐! My favorite kind of festival! In honor ...

A Bootiful Podcast: Java Champion and hilarious friend, Richard Fichtner

Hi, Spring fans! I've been waiting for this episode for so long! Today, we're finally joined by my friend Richard Fichtner, who so took pity on my plight waiting for music to be added to the GraalVM that his company, XDev Software, created the music-maven-plugin, the best Maven plugin, ever! This...

com.cognifide.aet:jobs (>=2.0.0 <=3.2.2), com.cognifide.aet:w3chtml5validator (>=2.0.0 <=3.2.2) +3 more potentially affected by CVE-2025-15104 via nu.validator:validator (>=15.3.28 <=26.5.9)

nu.validator:validator MAVEN version =15.3.28, =2.0.0, =2.0.0, =1.0, =1.0, =0.0.1, =1.0.0 Source cves: CVE-2025-15104 Source advisory: SNYK:JAVA-NUVALIDATOR-15010790...

Improper Validation of Integrity Check Value

Overview Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value due to the protocDigest parameter being ignored when the protoc executable is sourced from the system PATH. An attacker can bypass integrity verification by placing a malicious protoc binary...

Protobuf Maven Plugin protocDigest is ignored when using protoc from PATH

Summary The expected protocDigest is ignored when protoc is taken from the PATH. Details The documentation for the protocDigest parameter says: ... Users may wish to specify this if using a PATH-based binary ... However, when specifying PATH the protocDigest is not actually checked because the co...