com.vaadin:vaadin-server (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package com.vaadin:vaadin-server, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (6)
CVE-2020-36320 — CVSS 7.5 (high): Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 (Vaadin 7.0.0 through 7.7.21)…
CVE-2019-25028 — CVSS 5.4 (medium): Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19)…
CVE-2025-9467: When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload…
CVE-2025-15022: Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content…
CVE-2021-33609 — CVSS 4.3 (medium): Missing check in DataCommunicator class in com.vaadin:vaadin-server versions 8.0.0 through 8.14.0 (Vaadin 8.0.0 through 8.14.0) allows…
CVE-2021-31403 — CVSS 4.0 (medium): Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 (Vaadin 7.0.0…