biz.grundner.vaadin-in-spring:spring-vaadin (=1.0), cn.jhc:umeditor-vaadin-js (=0.0.1) +141 more potentially affected by CVE-2025-15022 via com.vaadin:vaadin-server (>=7.0.0 <=7.7.5)

com.vaadin:vaadin-server MAVEN version =7.0.0, =0.5, =1.1, =1.0, =1.3, =5.0.0, =5.0.0, =5.0.0, =5.2.4 and more Source cves: CVE-2025-15022 Source advisory: OSV:GHSA-7WWV-79XW-RVVG...

ca.qc.ircm:plate-layout (=0.8), com.github.ilgun:expandingtextarea (=2.0) +107 more potentially affected by CVE-2025-15022 via com.vaadin:vaadin-server (>=8.0.0 <=8.2.1)

com.vaadin:vaadin-server MAVEN version =8.0.0, =1.0.0, =1.0.0, =1.1.20, =1.0.9, =1.0.9, =1.1.8, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.5 and more Source cves: CVE-2025-15022 Source advisory: OSV:GHSA-7WWV-79XW-RVVG...

biz.grundner.vaadin-in-spring:spring-vaadin (=1.0), cn.jhc:umeditor-vaadin-js (=0.0.1) +141 more potentially affected by CVE-2025-15022 via com.vaadin:vaadin-server (>=7.0.0 <=7.7.5)

com.vaadin:vaadin-server MAVEN version =7.0.0, =0.5, =1.1, =1.0, =1.3, =5.0.0, =5.0.0, =5.0.0, =5.2.4 and more Source cves: CVE-2025-15022 Source advisory: SNYK:JAVA-COMVAADIN-14860883...

ca.qc.ircm:plate-layout (=0.8), com.github.ilgun:expandingtextarea (=2.0) +107 more potentially affected by CVE-2025-15022 via com.vaadin:vaadin-server (>=8.0.0 <=8.2.1)

com.vaadin:vaadin-server MAVEN version =8.0.0, =1.0.0, =1.0.0, =1.1.20, =1.0.9, =1.0.9, =1.1.8, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.5 and more Source cves: CVE-2025-15022 Source advisory: SNYK:JAVA-COMVAADIN-14860883...

Arbitrary File Upload

com.vaadin:vaadin-server is vulnerable to an Arbitrary File Upload. The vulnerability is due to insufficient validation of metadata in the start listener of incoming uploads, which allows an attacker to bypass upload validation and potentially upload unauthorized or malicious files...

EUVD-2025-26701

Malicious code in bioql PyPI...

CVE-2025-9467

When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 7.0.0 -...

biz.grundner.vaadin-in-spring:spring-vaadin (=1.0), cn.jhc:umeditor-vaadin-js (=0.0.1) +139 more potentially affected by CVE-2025-9467 via com.vaadin:vaadin-server (>=7.0.0 <=7.7.47)

com.vaadin:vaadin-server MAVEN version =7.0.0, =0.5, =1.1, =1.0, =1.3, =5.0.0, =5.0.0, =5.0.0, =5.2.4 and more Source cves: CVE-2025-9467 Source advisory: OSV:GHSA-9GFH-4FWJ-W3RJ...

ca.qc.ircm:plate-layout (=0.8), com.github.ilgun:expandingtextarea (=2.0) +100 more potentially affected by CVE-2025-9467 via com.vaadin:vaadin-server (>=8.0.0 <=8.28.1)

com.vaadin:vaadin-server MAVEN version =8.0.0, =1.0.0, =1.0.0, =1.1.20, =1.1.8, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.5 and more Source cves: CVE-2025-9467 Source advisory: SNYK:JAVA-COMVAADIN-12496925...

biz.grundner.vaadin-in-spring:spring-vaadin (=1.0), cn.jhc:umeditor-vaadin-js (=0.0.1) +139 more potentially affected by CVE-2025-9467 via com.vaadin:vaadin-server (>=7.0.0 <=7.7.47)

com.vaadin:vaadin-server MAVEN version =7.0.0, =0.5, =1.1, =1.0, =1.3, =5.0.0, =5.0.0, =5.0.0, =5.2.4 and more Source cves: CVE-2025-9467 Source advisory: SNYK:JAVA-COMVAADIN-12496925...

ca.qc.ircm:plate-layout (=0.8), com.github.ilgun:expandingtextarea (=2.0) +100 more potentially affected by CVE-2025-9467 via com.vaadin:vaadin-server (>=8.0.0 <=8.28.1)

com.vaadin:vaadin-server MAVEN version =8.0.0, =1.0.0, =1.0.0, =1.1.20, =1.1.8, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.5 and more Source cves: CVE-2025-9467 Source advisory: OSV:GHSA-9GFH-4FWJ-W3RJ...

Arbitrary File Upload

Overview com.vaadin:vaadin-server is a Java framework for modern Java web applications. Affected versions of this package are vulnerable to Arbitrary File Upload via Vaadin Upload's start listener in the multi-upload mode. An attacker can upload unauthorized files by bypassing server-side metadat...

at.ganzleicht.vaadin:vaadin-server (>=9.1.1 <=9.1.3), br.com.thiagomoreira.liferay.plugins.fix-virtual-host-app:fix-virtual-host-hook (>=2.0.0 <=5.1.0) +663 more potentially affected by CVE-2025-43740 via com.liferay.portal:com.liferay.portal.kernel (>=100.0.0 <=9.4.0)

com.liferay.portal:com.liferay.portal.kernel MAVEN version =100.0.0, =9.1.1, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =0.0.2.RELEASE, =0.0.2.RELEASE, =0.0.2.RELEASE, =0.0.2.RELEASE, =0.0.2.RELEASE, =1.0.0.RELEASE - com.gitee.pif...

Denial Of Service (DoS)

vaadin-server is vulnerable to denial of service. The onRequestRows function in DataCommunicator.java does not properly limit the row data requests, allowing malicious users to cause an application crash...

ca.qc.ircm:plate-layout (=0.8), com.github.mvysny.karibudsl:karibu-dsl-v8 (>=1.0.0 <=1.0.8) +68 more potentially affected by CVE-2021-33609 via com.vaadin:vaadin-server (>=8.0.0 <=8.14.0)

com.vaadin:vaadin-server MAVEN version =8.0.0, =1.0.0, =1.0.0, =1.1.20, =2.0.0, =1.0.0, =2.0.3, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.14.0 and more Source cves: CVE-2021-33609 Source advisory: OSV:GHSA-J23J-Q57M-63V3...

Denial of service in DataCommunicator class in Vaadin 8

Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 Vaadin 8.0.0 through 8.14.0 allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data...

com.github.mvysny.karibudsl:karibu-dsl-v8 (>=1.0.0 <=1.0.8), com.github.mvysny.karibudsl:karibu-dsl-v8compat7 (>=1.0.0 <=1.0.8) +50 more potentially affected by CVE-2021-33609 via com.vaadin:vaadin-server (>=8.0.6 <=8.14.0)

com.vaadin:vaadin-server MAVEN version =8.0.6, =1.0.0, =1.0.0, =1.1.20, =2.0.0, =2.0.3, =8.0.6, =8.0.6, =8.0.6, =8.0.6, =8.0.6, =8.0.6, =8.10.0, =8.0.6, =8.10.0, =8.10.0, =8.14.0 and more Source cves: CVE-2021-33609 Source advisory: OSV:GHSA-QCGX-CRRX-38V5...

CVE-2021-33609

Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 Vaadin 8.0.0 through 8.14.0 allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data...

CVE-2021-33609

Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 Vaadin 8.0.0 through 8.14.0 allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data...

Denial of service in DataCommunicator class in Vaadin 8

Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 Vaadin 8.0.0 through 8.14.0 allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data. See CWE-400: Uncontrolled Resource Consumption Description ComboBox and...