5 matches found
Vaadin vulnerable to Cross-site Scripting
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting XSS if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed version...
EUVD-2026-0820
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting XSS if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed version...
CVE-2025-15022
CVE-2025-15022 describes an XSS vulnerability in Vaadin where caption HTML was not sanitized. Affected are Vaadin Framework 7 (7.0.0–7.7.49) and 8 (8.0.0–8.29.1), as well as Vaadin 23.1.0–23.6.5, Vaadin 24.0.0–24.8.13, and Vaadin 24.9.0–24.9.6. Fixed versions sanitize captions by default and, for...
GHSA-QCGX-CRRX-38V5 Denial of service in DataCommunicator class in Vaadin 8
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 Vaadin 8.0.0 through 8.14.0 allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data...
ca.qc.ircm:plate-layout (=0.8), com.github.mvysny.karibudsl:karibu-dsl-v8 (>=1.0.0 <=1.0.4) +65 more potentially affected by CVE-2021-31403 via com.vaadin:vaadin-server (>=8.0.0 <=8.12.2)
com.vaadin:vaadin-server MAVEN version =8.0.0, =1.0.0, =1.0.0, =1.1.20, =1.0.0, =2.0.3, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.12.2 and more Source cves: CVE-2021-31403 Source advisory: OSV:GHSA-75XC-QVXH-27F8...