37 matches found
Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build
A security vulnerability in the Vaadin Maven plugin and Vaadin Gradle plugin exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. See CWE-209 Generation of Error Message Containing Sensitive Information Description A possibl...
Vaadin Flow and the axios npm supply-chain compromise
On March 31, 2026, compromised versions of the popular axios HTTP client library 1.14.1 and 0.30.4 were published to NPM via a hijacked maintainer account. The malicious versions injected [email protected], a cross-platform RAT dropper that connected to a command-and-control server. The...
Unauthorized Session Creation via Reserved Framework Path Access
An authentication bypass vulnerability exists in Vaadin applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, allowing unauthenticated users to trigger framework...
Zip Slip Path Traversal on Node Unpack
Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. See CWE-22 Improper Limitation of a Pathname to a Restricted Directory 'Pat...
Cross-site scripting in Action caption
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting XSS if caption content is derived from user input. See CWE-79 Improper Neutralization of Input During Web Page Generation Cross-site Scripting Description In Vaadin Framework 7 and 8...
React 19 Server Components Critical Vulnerability (CVE-2025-55182, CVE-2025-55183, CVE-2025-55184)
On December 3, 2025, the React team disclosed a critical remote code execution vulnerability CVE-2025-55182, CVSS 10.0 affecting React 19 Server Components. This vulnerability has raised concerns among Vaadin users and security scanning tools. Update: On December 11 and 12, 2025, two new...
Vaadin Flow, Hilla and the September 2025 npm supply-chain attacks
Recently two major npm supply-chain attacks have been reported, raising concerns about the safety of the broader software ecosystem, including for Vaadin users. The first incident involved compromised maintainer accounts and malicious releases of widely used packages such as debug and chalk. The...
Possibility to bypass file upload validation on the server-side
When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. See CWE-20 Improper Input Validation Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is...
Ingress-Nginx Admission Controller RCE Escalation
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. Note...
Apache Commons FileUpload - DoS with excessive parts
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option...
Possible information disclosure in non visible components
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information...
Possible information disclosure of class and method names in RPC response
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests. See CWE-1295:...
Possible information disclosure inside TreeGrid component with default data provider
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure ...
Spring Core Remote Code Execution via Data Binding on JDK 9+
A remote code execution RCE vulnerability was discovered in the Spring framework, affecting at least Spring versions 4.x and 5.x. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution RCE via data binding. The specific exploit requires the...
Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14
Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 Vaadin 14.0.0 through 14.4.4 allows remote attackers to execute malicious JavaScript in browser by opening crafted URL. See CWE-79: Improper Neutralization of Input During We...
Denial of service in third-party component in Vaadin 7 and 8
Improper check for exceptional condition in a third party HTML handling library used in com.vaadin:vaadin-server versions 7.0.0 through 7.7.27 Vaadin 7.0.0 through 7.7.27 and 8.0.0 through 8.13.3 Vaadin 8.0.0 through Vaadin 8.13.3 allows network attackers to cause denial of service via unspecifie...
Denial of service in DataCommunicator class in Vaadin 8
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 Vaadin 8.0.0 through 8.14.0 allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data. See CWE-400: Uncontrolled Resource Consumption Description ComboBox and...
Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20
Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 Vaadin 12.0.0 prior to 14.0.0, 2.0.0 prior to 3.0.0 Vaadin 14.0.0 prior to 14.5.0, 3.0.0 through 4.0.1 Vaadin 15.0.0 through 17.0.11, 14.5.0 through 14.6.7 Vaadin 14.5.0 through 14.6.7, and 18.0.0...
Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 Vaadin 14.0.0 through 14.6.1, 3.0.0 through 6.0.9 Vaadin 15.0.0 through 19.0.8 allows local user to execute arbitrary JavaScript code by opening crafted URL in browser. See CWE-172: Encoding Erro...
Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 Vaadin 10.0.0 through 10.0.18, 1.1.0 prior to 2.0.0 Vaadin 11 prior to 14, 2.0.0 through 2.6.1 Vaadin 14.0.0 through 14.6.1, and 3.0.0 through 6.0.9 Vaadin 15.0.0 through 19.0....
Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 Vaadin 14.0.3 through Vaadin 14.5.2, 3.0 prior to 6.0 Vaadin 15 prior to 19, and 6.0.0 through 6.0.5 Vaadin 19.0.0 through 19.0.4 allows local users to inject malicious code...
Regular expression Denial of Service (ReDoS) in EmailValidator class in V7 compatibility module in Vaadin 8
Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 Vaadin versions 8.0.0 through 8.12.4 allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. See CWE-400: Uncontrolled Resource...
Project sources exposure in Vaadin Designer
Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request. See CWE-402: Transmission of Private Resources into a New Sphere 'Resource Leak' Affected products and mitigation...
Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19
Authentication.logout helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 Vaadin 18, and 6.0.0 through 6.0.4 Vaadin 19.0.0 through 19.0.3 uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the...
Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 Vaadin 12.0.0 through 14.4.9, and 6.0.0 through 6.0.1 Vaadin 19.0.0 allows attacker to access application classes and resources on the server via crafted HTTP request. See CWE-402: Transmission of Private...
Timing side channel vulnerability in endpoint request handler in Vaadin 15-19
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 Vaadin 15.0.0 through 18.0.6, and com.vaadin:fusion-endpoint version 6.0.0 Vaadin 19.0.0 allows attacker to guess a security token for Fusion endpoints via timing attack...
Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17
Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 Vaadin 14.0.6 through 14.4.3, and 3.0.0 through 4.0.2 Vaadin 15.0.0 through 17.0.10 allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses...
Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 Vaadin 10.0.0 through 10.0.16, 1.1.0 prior to 2.0.0 Vaadin 11 prior to 14, 2.0.0 through 2.4.6 Vaadin 14.0.0 through 14.4.6, 3.0.0 prior to 5.0.0 Vaadin 15 prior to 18, and...
Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 Vaadin 7.0.0 through 7.7.23, and 8.0.0 through 8.12.2 Vaadin 8.0.0 through 8.12.2 allows attacker to guess a security token via timing attack. See CWE-208: Observable Timi...
Directory traversal in development mode handler in Vaadin 14 and 15-17
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 Vaadin 14.0.0 through 14.4.2, and 3.0 prior to 5.0 Vaadin 15 prior to 18 allows attacker to request arbitrary files stored outside of intended frontend resources folder. See CWE-20: Improper...
Regular expression denial of service (ReDoS) in EmailValidator class in Vaadin 7
Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 Vaadin 7.0.0 through 7.7.21 allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. See CWE-400: Uncontrolled Resource Consumption Description...
Potential sensitive data exposure in applications using Vaadin 15
Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 Vaadin 15.0.0 through 15.0.4 may expose sensitive data if the application also uses e.g. @RestController See CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Description The...
Stored cross-site scripting in Grid component in Vaadin 7 and 8
Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 Vaadin 7.4.0 through 7.7.19, and 8.0.0 through 8.8.4 Vaadin 8.0.0 through 8.8.4 allows attacker to inject malicious JavaScript via unspecified vector. See CWE-80: Improper Neutralization of...
Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 Vaadin 10.0.0 through 10.0.13, and 1.1.0 through 1.4.2 Vaadin 11.0.0 through 13.0.5 allows attacker to execute malicious JavaScript via crafted URL. See CWE-81: Improper...
Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 Vaadin 10.0.0 through 10.0.7, and Vaadin 11.0.0 through 11.0.2 allows attacker to update element property values via crafted synchronization message. See CWE-754: Improper Check for Unusual or Exceptional...
Potential deserialization of untrusted data in Vaadin 7 and 8 when JMX or RMI are enabled
Certain classes in com.vaadin:vaadin-server version 7 all versions of Vaadin 7, and com.vaadin:vaadin-compatibility-server version 8 all versions of Vaadin 8 allows attacker to perform unsafe deserialization when JMX or RMI are enabled. See CWE-502: Deserialization of Untrusted Data Description...
Denial of service in UIDL request handler in Vaadin 7 and 8
Improper check for exceptional condition in a third party JSON handling library used in com.vaadin:vaadin-shared versions 7.4.0 through 7.7.8 Vaadin 7.4.0 through 7.7.8, and 8.0.0 through 8.0.5 Vaadin 8.0.0 through 8.0.5 allows attacker to perform denial of service DoS attack via crafted JSON...