Maven package
com.vaadin/vaadin-server
pkg:maven/com.vaadin/vaadin-server
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-15022 | Med | — | >= 7.0.0, < 7.7.50 | 7.7.50 | Jan 5, 2026 | Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple component | |
| CVE-2025-9467 | Med | — | >= 7.0.0, < 7.7.48 | 7.7.48 | Sep 4, 2025 | When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product ver | |
| CVE-2021-33609 | — | >= 8.0.6, < 8.14.1 | 8.14.1 | Oct 13, 2021 | Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data. | ||
| CVE-2021-31403 | — | >= 7.0.0, < 7.7.24 | 7.7.24 | Apr 23, 2021 | Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack | ||
| CVE-2020-36320 | — | >= 7.0.0.beta1, < 7.7.22 | 7.7.22 | Apr 23, 2021 | Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. | ||
| CVE-2019-25028 | — | >= 7.4.0, < 7.7.20 | 7.7.20 | Apr 23, 2021 | Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector |
- affected >= 7.0.0, < 7.7.50fixed 7.7.50
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple component
- affected >= 7.0.0, < 7.7.48fixed 7.7.48
When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product ver
- CVE-2021-33609Oct 13, 2021affected >= 8.0.6, < 8.14.1fixed 8.14.1
Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.
- CVE-2021-31403Apr 23, 2021affected >= 7.0.0, < 7.7.24fixed 7.7.24
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack
- CVE-2020-36320Apr 23, 2021affected >= 7.0.0.beta1, < 7.7.22fixed 7.7.22
Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
- CVE-2019-25028Apr 23, 2021affected >= 7.4.0, < 7.7.20fixed 7.7.20
Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector