Home/Product/vaadin
Product

vaadin

26 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-2742
>= 10.0.0 and < 14.14.1
An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 2
5.3MEDIUM
 CVE-2026-2741
>= 14.2.0 and < 14.14.1
Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.
6.8MEDIUM
 CVE-2023-25500
>= 10.0.0 and < 10.0.23
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24
3.5LOW
 CVE-2023-25499
>= 10.0.0 and < 10.0.23
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0
5.7MEDIUM
 CVE-2022-29567
>= 14.8.5 and <= 14.8.9
The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Va
5.7MEDIUM
 CVE-2021-33611
>= 1.0.0 and <= 1.2.0
Missing output sanitization in test sources in org.webjars.bowergithub.vaadin:vaadin-menu-bar versions 1.0.0 through 1.2.0 (Vaadin
6.1MEDIUM
 CVE-2021-33609
>= 8.0.0 and < 8.14.1
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) al
4.3MEDIUM
 CVE-2021-33605
>= 1.2.0 and < 2.0.0
Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0),
4.3MEDIUM
 CVE-2021-33604
>= 14.0.0 and <= 14.6.1
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.
2.5LOW
 CVE-2021-31412
>= 10.0.0 and <= 10.0.18
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 1
5.3MEDIUM
 CVE-2021-31409
>= 8.0.0 and <= 8.12.4
Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadi
7.5HIGH
 CVE-2021-31411
>= 14.0.3 and < 14.5.3
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 (Vaadin
6.3MEDIUM
 CVE-2021-31410
>= 4.3.0 and < 4.6.4
Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers
8.6HIGH
 CVE-2021-31408
>= 19.0.0 and < 19.0.4
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadi
6.3MEDIUM
 CVE-2021-31407
>= 12.0.0 and < 14.4.10
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0
8.6HIGH
 CVE-2021-31406
>= 15.0.0 and < 18.0.7
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Va
4.0MEDIUM
 CVE-2021-31405
>= 14.0.6 and < 14.4.4
Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 t
7.5HIGH
 CVE-2021-31404
>= 10.0.0 and < 10.0.17
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadi
4.0MEDIUM
 CVE-2021-31403
>= 7.0.0 and < 7.7.24
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaa
4.0MEDIUM
 CVE-2020-36321
>= 14.0.0 and < 14.4.3
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through
5.9MEDIUM
 CVE-2020-36320
>= 7.0.0 and < 7.7.22
Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.
7.5HIGH
 CVE-2020-36319
>= 15.0.0 and < 15.0.5
Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.
3.1LOW
 CVE-2019-25028
>= 7.4.0 and < 7.7.20
Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.
5.4MEDIUM
 CVE-2019-25027
>= 10.0.0 and < 10.0.14
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.
6.1MEDIUM
 CVE-2018-25007
>= 10.0.0 and < 10.0.8
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11
2.6LOW
 CVE-2011-0509
<= 6.4.8
Cross-site scripting (XSS) vulnerability in Vaadin before 6.4.9 allows remote attackers to inject arbitrary web script or HTML via
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin