CVE-2026-22683

>= 1.0.0 and <= 1.2.2

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to

8.8HIGH

CVE-2025-20972

< 4.9.17.6

Improper verification of intent by broadcast receiver in Samsung Flow prior to version 4.9.17.6 allows local attackers to modify S

6.2MEDIUM

CVE-2025-20971

< 4.9.17.6

Improper input validation in Samsung Flow prior to version 4.9.17.6 allows local attackers to access data within Samsung Flow.

5.5MEDIUM

CVE-2024-49407

< 4.9.15.7

Improper access control in Samsung Flow prior to version 4.9.15.7 allows physical attackers to access data across multiple user pr

4.6MEDIUM

CVE-2024-34600

< 4.9.13.0

Improper verification of intent by broadcast receiver vulnerability in Samsung Flow prior to version 4.9.13.0 allows local attacke

4.4MEDIUM

CVE-2023-30094

all versions

A stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10 allows attackers to execute arbitrary web scripts or HTML vi

5.4MEDIUM

CVE-2023-21444

< 4.9.14.0

Improper cryptographic implementation in Samsung Flow for PC 4.9.14.0 allows adjacent attackers to decrypt encrypted messages or i

7.5HIGH

CVE-2023-21443

< 4.9.04

Improper cryptographic implementation in Samsung Flow for Android prior to version 4.9.04 allows adjacent attackers to decrypt enc

7.5HIGH

CVE-2021-33604

>= 2.0.0 and <= 2.6.1

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.

2.5LOW

CVE-2021-31412

>= 1.0.0 and <= 1.0.14

Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 1

5.3MEDIUM

CVE-2021-31411

>= 2.0.9 and < 2.5.3

Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin

6.3MEDIUM

CVE-2021-31408

>= 5.0.0 and < 6.0.0

Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadi

6.3MEDIUM

CVE-2021-31407

>= 1.2.0 and < 2.4.8

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0

8.6HIGH

CVE-2021-31406

>= 3.0.0 and < 5.0.4

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Va

4.0MEDIUM

CVE-2021-31405

>= 2.0.4 and < 2.3.3

Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 t

7.5HIGH

CVE-2021-31404

>= 1.0.0 and < 1.0.14

Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadi

4.0MEDIUM

CVE-2020-36321

>= 2.0.0 and < 2.4.2

Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through

5.9MEDIUM

CVE-2020-36319

>= 3.0.0 and < 3.0.6

Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.

3.1LOW

CVE-2019-25027

>= 1.0.0 and < 1.0.11

Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.

6.1MEDIUM

CVE-2018-25007

>= 1.0.0 and < 1.0.6

Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11

2.6LOW

CVE-2018-13525

all versions

The mintToken function of a smart contract implementation for Flow, an Ethereum token, has an integer overflow that allows the own

7.5HIGH

CVE-2013-7082

all versions

Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in TYPO3 Flow (formerly FLOW