Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

vaadin — Vulnerabilities & Security Advisories 26

All 26 CVE vulnerabilities found in vaadin, with AI-generated Chinese analysis, references, and POCs.

This page presents a comprehensive aggregation of common vulnerabilities and exposures (CVEs) affecting the Vaadin web application framework. It serves as a centralized resource for tracking security issues associated with this specific vendor and its software ecosystem. The collection encompasses a wide variety of vulnerability types, including but not limited to cross-site scripting, broken access control, and injection flaws that may impact the integrity or confidentiality of applications built on the platform. The data spans from the inception of public records to the present day, ensuring a historical perspective on how security postures have evolved over time. Users can utilize this resource to track Vaadin’s official security advisories and understand the lifecycle of patches for specific weakness classes. It also allows for a detailed look at a product’s vulnerability history, helping developers identify patterns in past releases and prioritize updates. By providing a structured view of these security events, the page aids in risk assessment and compliance monitoring. The information is organized to facilitate easy navigation through time-stamped entries, allowing stakeholders to correlate incidents with specific version numbers. This approach supports informed decision-making for system administrators and security analysts who need to evaluate the current threat landscape surrounding Vaadin components without sifting through disparate sources.

Vendor: Vaadin

CVE IDTitleCVSSSeverityPublished
CVE-2026-2742 Unauthorized session creation via reserved framework path access CWE-284 9.1AICriticalAI2026-03-10
CVE-2026-2741 Zip Slip Path Traversal on Node Unpack CWE-22 6.7AIMediumAI2026-03-10
CVE-2025-15022 Cross-site scripting in Action caption CWE-79 6.1 -2026-01-05
CVE-2025-9467 Possibility to bypass file upload validation on the server-side CWE-20 7.5AIHighAI2025-09-04
CVE-2023-25500 Vaadin 信息泄露漏洞 CWE-200 3.5 Low2023-06-22
CVE-2023-25499 Possible information disclosure in non visible components CWE-200 5.7 Medium2023-06-22
CVE-2022-29567 Possible information disclosure inside TreeGrid component with default data provider CWE-200 5.7 Medium2022-05-24
CVE-2021-33611 Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14 CWE-79 6.1 Medium2021-11-02
CVE-2021-33609 Denial of service in DataCommunicator class in Vaadin 8 CWE-400 4.3 Medium2021-10-13
CVE-2021-33605 Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20 CWE-754 4.3 Medium2021-08-25
CVE-2021-31412 Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19 CWE-1295 5.3 Medium2021-06-24
CVE-2021-33604 Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19 CWE-172 2.5 Low2021-06-24
CVE-2021-31409 Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19 CWE-400 7.5 High2021-05-05
CVE-2021-31411 Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19 CWE-379 6.3 Medium2021-05-05
CVE-2021-31408 Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19 CWE-613 6.3 Medium2021-04-23
CVE-2021-31407 Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19 CWE-402 8.6 High2021-04-23
CVE-2021-31406 Timing side channel vulnerability in endpoint request handler in Vaadin 15-19 CWE-208 4.0 Medium2021-04-23
CVE-2021-31405 Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17 CWE-400 7.5 High2021-04-23
CVE-2021-31404 Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18 CWE-208 4.0 Medium2021-04-23
CVE-2021-31403 Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8 CWE-208 4.0 Medium2021-04-23
CVE-2020-36321 Directory traversal in development mode handler in Vaadin 14 and 15-17 CWE-22 5.9 Medium2021-04-23
CVE-2020-36320 Regular expression Denial of Service (ReDoS) in EmailValidator class in Vaadin 7 CWE-400 7.5 High2021-04-23
CVE-2020-36319 Potential sensitive data exposure in applications using Vaadin 15 CWE-200 3.1 Low2021-04-23
CVE-2019-25028 Stored cross-site scripting in Grid component in Vaadin 7 and 8 CWE-80 5.4 Medium2021-04-23
CVE-2018-25007 Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11 CWE-754 2.6 Low2021-04-23
CVE-2019-25027 Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13 CWE-81 6.1 Medium2021-04-23

All 26 known CVE vulnerabilities affecting vaadin with full Chinese analysis, references, and POCs where available.