Vaadin

This hub aggregates every CVE we track for Vaadin, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

OSS Librarieslibrarylibrary

CVEs tracked

Critical

High

In CISA KEV

Severity distribution

MEDIUM17LOW4HIGH4

Monthly trend

2024-072026-06

Latest CVEs

See all →

The 15 most recently published vulnerabilities affecting Vaadin.

CVE-2026-2742Unauthorized session creation via reserved framework path access5.3Mar 10, 2026
CVE-2026-2741Zip Slip Path Traversal on Node Unpack6.8Mar 10, 2026
CVE-2023-25500Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential informati...3.5Jun 22, 2023
CVE-2023-25499Possible information disclosure in non visible components5.7Jun 22, 2023
CVE-2022-29567Possible information disclosure inside TreeGrid component with default data provider5.7May 24, 2022
CVE-2021-33611Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 146.1Nov 2, 2021
CVE-2021-33609Denial of service in DataCommunicator class in Vaadin 84.3Oct 13, 2021
CVE-2021-33605Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-204.3Aug 25, 2021
CVE-2021-31412Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-195.3Jun 24, 2021
CVE-2021-33604Reflected cross-site scripting in development mode handler in Vaadin 14, 15-192.5Jun 24, 2021
CVE-2021-31409Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-197.5May 5, 2021
CVE-2021-31411Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-196.3May 5, 2021
CVE-2021-31408Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-196.3Apr 23, 2021
CVE-2021-31405Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-177.5Apr 23, 2021
CVE-2021-31407Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 198.6Apr 23, 2021

Product normalization is registry-driven with AI assist and human review. How it works