VYPR

Maven package

com.vaadin/vaadin

pkg:maven/com.vaadin/vaadin

Vulnerabilities (5)

  • CVE-2026-2742MedMar 10, 2026
    affected >= 25.0.0, < 25.0.2fixed 25.0.2

    An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN

  • CVE-2025-15022MedJan 5, 2026
    affected >= 23.1.0, < 23.6.6fixed 23.6.6

    Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple component

  • CVE-2023-25500Jun 22, 2023
    affected >= 10.0.0, < 10.0.24fixed 10.0.24

    Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified reques

  • CVE-2023-25499Jun 22, 2023
    affected >= 10.0.0, < 10.0.23fixed 10.0.23

    When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential in

  • CVE-2022-29567May 24, 2022
    affected >= 14.8.5, < 14.8.10fixed 14.8.10

    The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential inform