com.vaadin:flow-server
Maven10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting com.vaadin:flow-serverpage 1 of 1
- CVE-2018-25007LOWCVSS 2.6EG 2.6✓ Fixed in 1.0.62021-04-23
vulnerable: 1.0.0 ... 1.0.5 (6 versions)
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.
- CVE-2019-25027MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.4.32021-04-23
vulnerable: 1.1.0 ... 1.4.2 (11 versions)
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malic…
- CVE-2020-36319LOWCVSS 3.1EG 3.1✓ Fixed in 3.0.62021-04-23
vulnerable: 3.0.0 ... 3.0.5 (6 versions)
Insecure configuration of default ObjectMapper in com.vaadin:flow-server versions 3.0.0 through 3.0.5 (Vaadin 15.0.0 through 15.0.4) may expose sensitive data if the application also uses e.g. @RestController
- CVE-2020-36321MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.4.22021-04-23
vulnerable: 2.0.0 ... 2.4.1 (47 versions)
Improper URL validation in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.4.1 (Vaadin 14.0.0 through 14.4.2), and 3.0 prior to 5.0 (Vaadin 15 prior to 18) allows attacker to request arbitrary files stored outsi…
- CVE-2021-31404MEDIUMCVSS 4.0EG 4.0✓ Fixed in 5.0.32021-04-23
vulnerable: 3.0.0 ... 5.0.2 (27 versions)
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 (Vaadin 10.0.0 through 10.0.16), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.4.6 (Vaadin 14.0.0 t…
- CVE-2021-31406MEDIUMCVSS 4.0EG 4.0✓ Fixed in 6.0.12021-04-23
vulnerable: 6.0.0
Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 (Vaadin 15.0.0 through 18.0.6), and com.vaadin:fusion-endpoint version 6.0.0 (Vaadin 19.0.0) allows attacker to …
- CVE-2021-31407HIGHCVSS 8.6EG 8.6✓ Fixed in 6.0.12021-04-23
vulnerable: 6.0.0
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via …
- CVE-2023-25499MEDIUMCVSS 5.7EG 5.7✓ Fixed in 24.1.02023-06-22
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 t…
- CVE-2023-25500LOWCVSS 3.5EG 3.5✓ Fixed in 24.1.02023-06-22
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in…
- CVE-2026-2742MEDIUMCVSS 5.3EG 5.3✓ Fixed in 25.0.22026-03-10
vulnerable: 25.0.0, 25.0.1
An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserv…
Check whether com.vaadin:flow-server is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for com.vaadin:flow-server CVEs against the assets you own.
Start Free Scan →