Vaadin Flow 安全漏洞

Vaadin Flow is an open-source application developed by Vaadin. It is a Java framework for the Vaadin platform, used to build modern websites that are visually appealing, perform well, and satisfy both you and your users. Versions of Vaadin Flow from 23.0.0 to 23.6.9, 24.0.0 to 24.10.3, and 25.0.0...

Vaadin Flow and the axios npm supply-chain compromise

On March 31, 2026, compromised versions of the popular axios HTTP client library 1.14.1 and 0.30.4 were published to NPM via a hijacked maintainer account. The malicious versions injected [email protected], a cross-platform RAT dropper that connected to a command-and-control server. The...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to inconsistent path pattern matching of reserved framework paths. An attacker can create unauthorized sessions and trigger framework initialization by accessing the /VAADIN endpoint without a trailing slash,...

com.github.mcollovati:quarkus-hilla-commons-deployment (=25.0.0-beta1), com.github.mcollovati:quarkus-hilla-deployment (=25.0.0-beta1) +22 more potentially affected by CVE-2026-2741 via com.vaadin:flow-build-tools (>=25.0.0-rc1 <=25.0.2)

com.vaadin:flow-build-tools MAVEN version =25.0.0-rc1, =25.0.0, =25.0.0, =4.0.0, =25.0.0, =25.0.0, =25.0.0, =25.0.0, =25.0.0, =25.0.0, =25.0.0, =25.0.0, =25.0.9, =25.0.12 and more Source cves: CVE-2026-2741 Source advisory: SNYK:JAVA-COMVAADIN-15518324...

com.flowingcode.vaadin.test:testbench-rpc (>=1.4.0 <=1.5.0), com.github.mcollovati.vertx:vaadin-flow-sockjs (>=14.0.0 <=14.0.13) +201 more potentially affected by CVE-2026-2741 via com.vaadin:flow-server (>=2.0.0 <=2.13.0)

com.vaadin:flow-server MAVEN version =2.0.0, =1.4.0, =14.0.0, =14.0.0, =5.3.0, =5.3.0, =5.3.0, =5.3.0, =5.3.0, =5.3.0, =5.3.1 and more Source cves: CVE-2026-2741 Source advisory: SNYK:JAVA-COMVAADIN-15518323...

Vaadin Flow, Hilla and the September 2025 npm supply-chain attacks

Recently two major npm supply-chain attacks have been reported, raising concerns about the safety of the broader software ecosystem, including for Vaadin users. The first incident involved compromised maintainer accounts and malicious releases of widely used packages such as debug and chalk. The...

GHSA-94G8-XV23-7656 Vaadin Flow Components possible file bypass via upload validation on the server-side

Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version...

ch.artaios:openchemlib-vaadin (>=1.0.0 <=3.0.0), ch.jubnl:vsecureflow (>=0.0.15 <=0.0.16) +662 more potentially affected by CVE-2023-25499 via com.vaadin:flow-server (>=1.1.0 <=2.8.1)

com.vaadin:flow-server MAVEN version =1.1.0, =1.0.0, =0.0.15, =2.1.1, =1.0.0, =1.0.0, =0.1, =1.0.0, =1.4.0, =0.1.0, =0.2.0 and more Source cves: CVE-2023-25499 Source advisory: OSV:GHSA-5F9V-MV5G-JH5Q...

com.alibaba.rsocket:alibaba-broker-server (>=1.0.1 <=1.1.2), com.beirtipol:jfixtools-reporting (=1.0-BETA) +129 more potentially affected by CVE-2023-25499 via com.vaadin:flow-server (>=3.0.0 <=9.1.0)

com.vaadin:flow-server MAVEN version =3.0.0, =1.0.1, =1.1.6, =15.0.0, =15.0.0, =3.2.3, =0.17.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =9.1.0 and more Source cves: CVE-2023-25499 Source advisory: OSV:GHSA-5F9V-MV5G-JH5Q...

com.vaadin:flow (>=1.0.0 <=1.0.19), com.vaadin:flow-client (>=1.0.0 <=1.0.19) +44 more potentially affected by CVE-2023-25499 via com.vaadin:flow-server (>=1.0.0 <=1.0.2)

com.vaadin:flow-server MAVEN version =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =10.0.2, =2.0.1, =1.0.0, =6.0.1, =1.0.0, =1.0.2 and more Source cves: CVE-2023-25499 Source advisory: OSV:GHSA-5F9V-MV5G-JH5Q...

ch.artaios:openchemlib-vaadin (>=1.0.0 <=3.0.0), ch.jubnl:vsecureflow (>=0.0.15 <=0.0.16) +664 more potentially affected by CVE-2023-25500 via com.vaadin:flow-server (>=1.1.0 <=2.9.2)

com.vaadin:flow-server MAVEN version =1.1.0, =1.0.0, =0.0.15, =2.1.1, =1.0.0, =1.0.0, =0.1, =14.8, =3.7.0, =2.9.3, =1.0.0, =1.0.1 - com.flowingcode.vaadin.addons:zoomist-addon =1.0.0 and more Source cves: CVE-2023-25500 Source advisory: OSV:GHSA-CH48-9R3Q-PV7X...

com.vaadin:flow (>=1.0.0 <=1.0.20), com.vaadin:flow-client (>=1.0.0 <=1.0.20) +44 more potentially affected by CVE-2023-25500 via com.vaadin:flow-server (>=1.0.0 <=1.0.20)

com.vaadin:flow-server MAVEN version =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =10.0.2, =2.0.1, =1.0.0, =6.0.1, =1.0.0, =1.0.2 and more Source cves: CVE-2023-25500 Source advisory: OSV:GHSA-CH48-9R3Q-PV7X...

com.alibaba.rsocket:alibaba-broker-server (>=1.0.1 <=1.1.2), com.beirtipol:jfixtools-reporting (=1.0-BETA) +129 more potentially affected by CVE-2023-25500 via com.vaadin:flow-server (>=3.0.0 <=9.1.10)

com.vaadin:flow-server MAVEN version =3.0.0, =1.0.1, =1.1.6, =15.0.0, =15.0.0, =3.2.3, =0.17.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =9.1.10 and more Source cves: CVE-2023-25500 Source advisory: OSV:GHSA-CH48-9R3Q-PV7X...

Spring Tips: Vaadin Flow and Spring Boot 3

Hi, Spring fans! In this installment, we'll look at the fantastic Vaadin Flow library, which has recently been updated for Spring Boot 3, and how it can help you be happier. the code is available, as usual, here this episode features special guest Marcus Hellberg, VP developer relations from...

This Week in Spring - March 14th, 2023

Hi, Spring fans! Happy Pi π day! And, welcome to another installment of This Week in Spring! It's pouring cats and dogs here in San Francisco! The news is talking about atmospheric rivers; I don't know what that means but I don't know that I want to find out. Anyway, all that to say: I'm glad as...

Vaadin Flow Components 信息泄露漏洞

Vaadin Flow Components is a Maven multi-module project that contains all Vaadin flow components. A security vulnerability exists in Vaadin Flow Components that stems from the default configuration of the TreeGrid component that uses Object::toString as the key for client-server communication in...

com.vaadin:flow (>=1.0.0 <=1.0.14), com.vaadin:flow-client (>=1.0.0 <=1.0.14) +30 more potentially affected by CVE-2021-31412 via com.vaadin:flow-server (>=1.0.0 <=1.0.14)

com.vaadin:flow-server MAVEN version =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =10.0.13, =10.0.18 - com.vaadin:vaadin-board-flow =2.0.1 - com.vaadin:vaadin-button-flow =1.0.0 - com.vaadin:vaadin-charts-flow =6.0.1 - com.vaadin:vaadin-checkbox-flow...

com.beirtipol:jfixtools-reporting (=1.0-BETA), com.beirtipol:jfixtools-ui-vaadin (=1.0-BETA) +109 more potentially affected by CVE-2021-31412 via com.vaadin:flow-server (>=3.0.0 <=6.0.1)

com.vaadin:flow-server MAVEN version =3.0.0, =1.1.6, =15.0.0, =15.0.0, =0.17.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =5.0.0, =6.0.1 and more Source cves: CVE-2021-31412 Source advisory: OSV:GHSA-FR26-QJC8-MVJX...

com.beirtipol:jfixtools-reporting (=1.0-BETA), com.beirtipol:jfixtools-ui-vaadin (=1.0-BETA) +109 more potentially affected by CVE-2021-33604 via com.vaadin:flow-server (>=3.0.0 <=6.0.1)

com.vaadin:flow-server MAVEN version =3.0.0, =1.1.6, =15.0.0, =15.0.0, =0.17.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =5.0.0, =6.0.1 and more Source cves: CVE-2021-33604 Source advisory: OSV:GHSA-8VFW-V2JV-9HWC...

com.alibaba.rsocket:alibaba-broker-server (>=1.0.0 <=1.0.0.RC4), com.dorkbox.GradleVaadin:com.dorkbox.GradleVaadin.gradle.plugin (>=0.1 <=14.1.4) +252 more potentially affected by CVE-2021-33604 via com.vaadin:flow-server (>=2.0.0 <=2.6.1)

com.vaadin:flow-server MAVEN version =2.0.0, =1.0.0, =0.1, =1.4.0, =1.0, =0.0.1, =14.0.0, =14.0.0, =0.0.3, =1.0.0, =0.3.1, =1.0.0, =1.0.0, =0.5.1, =2.0.1, =2.2.3 and more Source cves: CVE-2021-33604 Source advisory: OSV:GHSA-8VFW-V2JV-9HWC...