VYPR

Maven package

com.vaadin/vaadin-server

pkg:maven/com.vaadin/vaadin-server

Vulnerabilities (6)

  • CVE-2025-15022MedJan 5, 2026
    affected >= 7.0.0, < 7.7.50fixed 7.7.50

    Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple component

  • CVE-2025-9467MedSep 4, 2025
    affected >= 7.0.0, < 7.7.48fixed 7.7.48

    When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product ver

  • CVE-2021-33609Oct 13, 2021
    affected >= 8.0.6, < 8.14.1fixed 8.14.1

    Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows authenticated network attacker to cause heap exhaustion by requesting too many rows of data.

  • CVE-2021-31403Apr 23, 2021
    affected >= 7.0.0, < 7.7.24fixed 7.7.24

    Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0 through 7.7.23), and 8.0.0 through 8.12.2 (Vaadin 8.0.0 through 8.12.2) allows attacker to guess a security token via timing attack

  • CVE-2020-36320Apr 23, 2021
    affected >= 7.0.0.beta1, < 7.7.22fixed 7.7.22

    Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

  • CVE-2019-25028Apr 23, 2021
    affected >= 7.4.0, < 7.7.20fixed 7.7.20

    Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector