Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Vaadin — Vulnerabilities & Security Advisories 27

Browse all 27 CVE security advisories affecting Vaadin. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Vaadin is a Java framework primarily used for building modern web applications, enabling developers to create rich user interfaces through server-side rendering. With twenty-seven recorded Common Vulnerabilities and Exposures, the platform has historically faced issues ranging from cross-site scripting and server-side request forgery to privilege escalation and remote code execution. These flaws often stem from improper input validation, insecure deserialization, and inadequate access controls within the framework’s core components. While Vaadin employs standard security practices, its complexity and extensive feature set have occasionally introduced attack surfaces that attackers exploit to gain unauthorized access or execute malicious commands. Recent updates have addressed several critical paths, yet the persistent vulnerability count highlights the ongoing challenge of maintaining robust security in complex enterprise-grade software ecosystems.

Top products by Vaadin: Vaadin Designer
CVE IDTitleCVSSSeverityPublished
CVE-2026-2742 Unauthorized session creation via reserved framework path access — vaadinCWE-284 9.1AICriticalAI2026-03-10
CVE-2026-2741 Zip Slip Path Traversal on Node Unpack — vaadinCWE-22 6.7AIMediumAI2026-03-10
CVE-2025-15022 Cross-site scripting in Action caption — vaadinCWE-79 6.1 -2026-01-05
CVE-2025-9467 Possibility to bypass file upload validation on the server-side — vaadinCWE-20 7.5AIHighAI2025-09-04
CVE-2023-25500 Vaadin 信息泄露漏洞 — vaadinCWE-200 3.5 Low2023-06-22
CVE-2023-25499 Possible information disclosure in non visible components — vaadinCWE-200 5.7 Medium2023-06-22
CVE-2022-29567 Possible information disclosure inside TreeGrid component with default data provider — vaadinCWE-200 5.7 Medium2022-05-24
CVE-2021-33611 Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14 — VaadinCWE-79 6.1 Medium2021-11-02
CVE-2021-33609 Denial of service in DataCommunicator class in Vaadin 8 — VaadinCWE-400 4.3 Medium2021-10-13
CVE-2021-33605 Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20 — VaadinCWE-754 4.3 Medium2021-08-25
CVE-2021-31412 Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19 — VaadinCWE-1295 5.3 Medium2021-06-24
CVE-2021-33604 Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19 — VaadinCWE-172 2.5 Low2021-06-24
CVE-2021-31409 Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19 — VaadinCWE-400 7.5 High2021-05-05
CVE-2021-31411 Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19 — VaadinCWE-379 6.3 Medium2021-05-05
CVE-2021-31410 Project sources exposure in Vaadin Designer — DesignerCWE-402 8.6 High2021-04-23
CVE-2021-31408 Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19 — VaadinCWE-613 6.3 Medium2021-04-23
CVE-2021-31407 Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19 — VaadinCWE-402 8.6 High2021-04-23
CVE-2021-31406 Timing side channel vulnerability in endpoint request handler in Vaadin 15-19 — VaadinCWE-208 4.0 Medium2021-04-23
CVE-2021-31405 Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17 — VaadinCWE-400 7.5 High2021-04-23
CVE-2021-31404 Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18 — VaadinCWE-208 4.0 Medium2021-04-23
CVE-2021-31403 Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8 — VaadinCWE-208 4.0 Medium2021-04-23
CVE-2020-36321 Directory traversal in development mode handler in Vaadin 14 and 15-17 — VaadinCWE-22 5.9 Medium2021-04-23
CVE-2020-36320 Regular expression Denial of Service (ReDoS) in EmailValidator class in Vaadin 7 — VaadinCWE-400 7.5 High2021-04-23
CVE-2020-36319 Potential sensitive data exposure in applications using Vaadin 15 — VaadinCWE-200 3.1 Low2021-04-23
CVE-2019-25028 Stored cross-site scripting in Grid component in Vaadin 7 and 8 — VaadinCWE-80 5.4 Medium2021-04-23
CVE-2018-25007 Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11 — VaadinCWE-754 2.6 Low2021-04-23
CVE-2019-25027 Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13 — VaadinCWE-81 6.1 Medium2021-04-23

This page lists every published CVE security advisory associated with Vaadin. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.