com.vaadin:vaadin (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package com.vaadin:vaadin, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (5)
CVE-2022-29567 — CVSS 5.7 (medium): The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin…
CVE-2023-25499 — CVSS 5.7 (medium): When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0…
CVE-2026-2742 — CVSS 5.3 (medium): An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0…
CVE-2025-15022: Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content…
CVE-2023-25500 — CVSS 3.5 (low): Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6…