CVE-2021-31410— Project sources exposure in Vaadin Designer

CVSS 8.6 · High EPSS 0.28% · P51 Updated Feb 25, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-31410

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Project sources exposure in Vaadin Designer

Source: NVD (National Vulnerability Database)

Vulnerability Description

Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

将私有的资源传输到一个新的空间(资源泄露)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Vaadin Designer 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Vaadin Designer是Vaadin开源的一个应用软件。一个Web应用程序构建器。 Vaadin Designer 4.3.0版本至4.6.3版本存在安全漏洞，该漏洞源于过度宽松的前端资源服务器配置允许远程攻击者可利用该漏洞通过精心制作的HTTP请求访问项目源。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Vaadin	Designer	4.3.0 ~ *	-

II. Public POCs for CVE-2021-31410

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2021-31410

请登录查看更多情报信息。

https://vaadin.com/security/cve-2021-31410x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2021-31410

Same Patch Batch · Vaadin · 2021-04-23 · 13 CVEs total

CVE-2021-31407	8.6 HIGH	Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
CVE-2020-36320	7.5 HIGH	Regular expression Denial of Service (ReDoS) in EmailValidator class in Vaadin 7
CVE-2021-31405	7.5 HIGH	Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-1
CVE-2021-31408	6.3 MEDIUM	Server session is not invalidated when logout() helper method of Authentication module is
CVE-2019-25027	6.1 MEDIUM	Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
CVE-2020-36321	5.9 MEDIUM	Directory traversal in development mode handler in Vaadin 14 and 15-17
CVE-2019-25028	5.4 MEDIUM	Stored cross-site scripting in Grid component in Vaadin 7 and 8
CVE-2021-31403	4.0 MEDIUM	Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8
CVE-2021-31404	4.0 MEDIUM	Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18
CVE-2021-31406	4.0 MEDIUM	Timing side channel vulnerability in endpoint request handler in Vaadin 15-19
CVE-2020-36319	3.1 LOW	Potential sensitive data exposure in applications using Vaadin 15
CVE-2018-25007	2.6 LOW	Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11

IV. Related Vulnerabilities

Same product: Designer

Same vendor: Vaadin

Same weakness: CWE-402

V. Comments for CVE-2021-31410

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2021-31410— Project sources exposure in Vaadin Designer

I. Basic Information for CVE-2021-31410

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2021-31410

III. Intelligence Information for CVE-2021-31410

Same Patch Batch · Vaadin · 2021-04-23 · 13 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2021-31410

Leave a comment