HIGH8.6CVE-2021-31407OSGi applications using Vaadin 12-14 and 19 vulnerable to server classes and resources exposure >= 1.2.0, < 2.4.8
MEDIUM6.1CVE-2019-25027Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13 >= 1.0.0, < 1.0.11
MEDIUM5.9CVE-2020-36321Directory traversal in development mode handler in Vaadin 14 and 15-17 >= 3.0.0, < 5.0.0
MEDIUM5.7Vaadin vulnerable to possible information disclosure in non visible components.
>= 1.0.0, < 1.0.20
MEDIUM4.0Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18
>= 1.0.0, < 1.0.14
MEDIUM4.0Timing side channel vulnerability in endpoint request handler in Vaadin 15-19
>= 3.0.0, < 5.0.4
LOW3.5Vaadin vulnerable to possible information disclosure of class and method names in RPC response
>= 1.0.0, < 1.0.21
LOW3.1Potential sensitive data exposure in applications using Vaadin 15
>= 3.0.0, < 3.0.6
LOW2.6Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
>= 1.0.0, < 1.0.6
—Vaadin Vulnerable to Authentication Bypass When Accessing the /VAADIN Endpoint Without a Trailing Slash
from 0, < 14.14.1