Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/com.vaadin/flow-server@2.1.7
Typemaven
Namespacecom.vaadin
Nameflow-server
Version2.1.7
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version23.6.7
Latest_non_vulnerable_version25.0.2
Affected_by_vulnerabilities
0
url VCID-5nk4-urbw-suee
vulnerability_id VCID-5nk4-urbw-suee
summary 
Path Traversal
Improper URL validation in development mode handler in `com.vaadin:flow-server` allows attacker to request arbitrary files stored outside of intended frontend resources folder.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-36321
reference_id
reference_type
scores
0
value 0.00551
scoring_system epss
scoring_elements 0.68345
published_at 2026-06-04T12:55:00Z
1
value 0.00551
scoring_system epss
scoring_elements 0.68387
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-36321
1
reference_url https://github.com/vaadin/flow/pull/9392
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/pull/9392
2
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-49r2-73m6-pp8f
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-49r2-73m6-pp8f
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-36321
reference_id CVE-2020-36321
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-36321
4
reference_url https://vaadin.com/security/cve-2020-36321
reference_id CVE-2020-36321
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://vaadin.com/security/cve-2020-36321
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@2.4.2
purl pkg:maven/com.vaadin/flow-server@2.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hqrf-7nbq-9bdw
1
vulnerability VCID-jxzf-6sus-t7et
2
vulnerability VCID-kkf3-sqmf-f3ft
3
vulnerability VCID-qdgn-1rqg-vuae
4
vulnerability VCID-rqmz-fd9j-ykea
5
vulnerability VCID-tfwa-kphb-j3b8
6
vulnerability VCID-y1d5-d3uj-5qhm
7
vulnerability VCID-yu3h-ecpv-qyhu
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@2.4.2
1
url pkg:maven/com.vaadin/flow-server@4.0.1
purl pkg:maven/com.vaadin/flow-server@4.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2fz6-rucr-xqax
1
vulnerability VCID-jxzf-6sus-t7et
2
vulnerability VCID-kkf3-sqmf-f3ft
3
vulnerability VCID-qdgn-1rqg-vuae
4
vulnerability VCID-rqmz-fd9j-ykea
5
vulnerability VCID-tfwa-kphb-j3b8
6
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@4.0.1
2
url pkg:maven/com.vaadin/flow-server@5.0.0
purl pkg:maven/com.vaadin/flow-server@5.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2fz6-rucr-xqax
1
vulnerability VCID-hqrf-7nbq-9bdw
2
vulnerability VCID-jxzf-6sus-t7et
3
vulnerability VCID-kkf3-sqmf-f3ft
4
vulnerability VCID-qdgn-1rqg-vuae
5
vulnerability VCID-rqmz-fd9j-ykea
6
vulnerability VCID-tfwa-kphb-j3b8
7
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@5.0.0
aliases CVE-2020-36321, GHSA-49r2-73m6-pp8f
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5nk4-urbw-suee
1
url VCID-hqrf-7nbq-9bdw
vulnerability_id VCID-hqrf-7nbq-9bdw
summary 
Information Exposure Through Discrepancy
A non-constant-time comparison of CSRF tokens in UIDL request handler in `com.vaadin:flow-server` allows attacker to guess a security token via timing attack.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-31404
reference_id
reference_type
scores
0
value 0.00045
scoring_system epss
scoring_elements 0.14389
published_at 2026-06-04T12:55:00Z
1
value 0.00045
scoring_system epss
scoring_elements 0.14459
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-31404
1
reference_url https://github.com/vaadin/flow/pull/9875
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/pull/9875
2
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-xwg3-qrcg-w9x6
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-xwg3-qrcg-w9x6
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-31404
reference_id CVE-2021-31404
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-31404
4
reference_url https://vaadin.com/security/cve-2021-31404
reference_id CVE-2021-31404
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://vaadin.com/security/cve-2021-31404
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@2.4.7
purl pkg:maven/com.vaadin/flow-server@2.4.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jxzf-6sus-t7et
1
vulnerability VCID-kkf3-sqmf-f3ft
2
vulnerability VCID-qdgn-1rqg-vuae
3
vulnerability VCID-rqmz-fd9j-ykea
4
vulnerability VCID-tfwa-kphb-j3b8
5
vulnerability VCID-y1d5-d3uj-5qhm
6
vulnerability VCID-yu3h-ecpv-qyhu
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@2.4.7
1
url pkg:maven/com.vaadin/flow-server@4.0.1
purl pkg:maven/com.vaadin/flow-server@4.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2fz6-rucr-xqax
1
vulnerability VCID-jxzf-6sus-t7et
2
vulnerability VCID-kkf3-sqmf-f3ft
3
vulnerability VCID-qdgn-1rqg-vuae
4
vulnerability VCID-rqmz-fd9j-ykea
5
vulnerability VCID-tfwa-kphb-j3b8
6
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@4.0.1
2
url pkg:maven/com.vaadin/flow-server@5.0.3
purl pkg:maven/com.vaadin/flow-server@5.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2fz6-rucr-xqax
1
vulnerability VCID-jxzf-6sus-t7et
2
vulnerability VCID-kkf3-sqmf-f3ft
3
vulnerability VCID-qdgn-1rqg-vuae
4
vulnerability VCID-rqmz-fd9j-ykea
5
vulnerability VCID-tfwa-kphb-j3b8
6
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@5.0.3
aliases CVE-2021-31404, GHSA-xwg3-qrcg-w9x6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hqrf-7nbq-9bdw
2
url VCID-jxzf-6sus-t7et
vulnerability_id VCID-jxzf-6sus-t7et
summary 
Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19
Insecure temporary directory usage in frontend build functionality of `com.vaadin:flow-server` versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

- https://vaadin.com/security/cve-2021-31411
references
0
reference_url https://github.com/vaadin/flow
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow
1
reference_url https://github.com/advisories/GHSA-c57f-4vp2-jqhm
reference_id GHSA-c57f-4vp2-jqhm
reference_type
scores
url https://github.com/advisories/GHSA-c57f-4vp2-jqhm
2
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-c57f-4vp2-jqhm
reference_id GHSA-c57f-4vp2-jqhm
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-c57f-4vp2-jqhm
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@2.5.3
purl pkg:maven/com.vaadin/flow-server@2.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kkf3-sqmf-f3ft
1
vulnerability VCID-qdgn-1rqg-vuae
2
vulnerability VCID-rqmz-fd9j-ykea
3
vulnerability VCID-tfwa-kphb-j3b8
4
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@2.5.3
1
url pkg:maven/com.vaadin/flow-server@6.0.6
purl pkg:maven/com.vaadin/flow-server@6.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kkf3-sqmf-f3ft
1
vulnerability VCID-qdgn-1rqg-vuae
2
vulnerability VCID-rqmz-fd9j-ykea
3
vulnerability VCID-tfwa-kphb-j3b8
4
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@6.0.6
aliases GHSA-c57f-4vp2-jqhm, GMS-2021-141
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jxzf-6sus-t7et
3
url VCID-kkf3-sqmf-f3ft
vulnerability_id VCID-kkf3-sqmf-f3ft
summary 
Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19
Improper sanitization of path in default `RouteNotFoundError` view in `com.vaadin:flow-server` versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for `NotFoundException` is provided.
references
0
reference_url https://vaadin.com/security/cve-2021-31412
reference_id CVE-2021-31412
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://vaadin.com/security/cve-2021-31412
1
reference_url https://github.com/advisories/GHSA-fr26-qjc8-mvjx
reference_id GHSA-fr26-qjc8-mvjx
reference_type
scores
url https://github.com/advisories/GHSA-fr26-qjc8-mvjx
2
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-fr26-qjc8-mvjx
reference_id GHSA-fr26-qjc8-mvjx
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-fr26-qjc8-mvjx
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@2.6.2
purl pkg:maven/com.vaadin/flow-server@2.6.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-qdgn-1rqg-vuae
1
vulnerability VCID-tfwa-kphb-j3b8
2
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@2.6.2
1
url pkg:maven/com.vaadin/flow-server@6.0.10
purl pkg:maven/com.vaadin/flow-server@6.0.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-qdgn-1rqg-vuae
1
vulnerability VCID-tfwa-kphb-j3b8
2
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@6.0.10
aliases GHSA-fr26-qjc8-mvjx, GMS-2021-142
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kkf3-sqmf-f3ft
4
url VCID-qdgn-1rqg-vuae
vulnerability_id VCID-qdgn-1rqg-vuae
summary 
Exposure of Sensitive Information to an Unauthorized Actor
When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-25499
reference_id
reference_type
scores
0
value 0.00243
scoring_system epss
scoring_elements 0.47813
published_at 2026-06-05T12:55:00Z
1
value 0.00243
scoring_system epss
scoring_elements 0.4775
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-25499
1
reference_url https://github.com/vaadin/flow/pull/15885
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T19:58:40Z/
url https://github.com/vaadin/flow/pull/15885
2
reference_url https://github.com/vaadin/platform
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/platform
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-25499
reference_id CVE-2023-25499
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-25499
4
reference_url https://vaadin.com/security/CVE-2023-25499
reference_id CVE-2023-25499
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T19:58:40Z/
url https://vaadin.com/security/CVE-2023-25499
5
reference_url https://github.com/advisories/GHSA-5f9v-mv5g-jh5q
reference_id GHSA-5f9v-mv5g-jh5q
reference_type
scores
url https://github.com/advisories/GHSA-5f9v-mv5g-jh5q
6
reference_url https://github.com/vaadin/platform/security/advisories/GHSA-5f9v-mv5g-jh5q
reference_id GHSA-5f9v-mv5g-jh5q
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/platform/security/advisories/GHSA-5f9v-mv5g-jh5q
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@2.8.10
purl pkg:maven/com.vaadin/flow-server@2.8.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-tfwa-kphb-j3b8
1
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@2.8.10
1
url pkg:maven/com.vaadin/flow-server@9.1.1
purl pkg:maven/com.vaadin/flow-server@9.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-tfwa-kphb-j3b8
1
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@9.1.1
2
url pkg:maven/com.vaadin/flow-server@23.3.11
purl pkg:maven/com.vaadin/flow-server@23.3.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-tfwa-kphb-j3b8
1
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@23.3.11
3
url pkg:maven/com.vaadin/flow-server@24.0.8
purl pkg:maven/com.vaadin/flow-server@24.0.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-tfwa-kphb-j3b8
1
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@24.0.8
4
url pkg:maven/com.vaadin/flow-server@24.1.0
purl pkg:maven/com.vaadin/flow-server@24.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@24.1.0
aliases CVE-2023-25499, GHSA-5f9v-mv5g-jh5q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qdgn-1rqg-vuae
5
url VCID-rqmz-fd9j-ykea
vulnerability_id VCID-rqmz-fd9j-ykea
summary Improper Neutralization in com.vaadin:flow-server.
references
0
reference_url https://vaadin.com/security/cve-2021-33604
reference_id CVE-2021-33604
reference_type
scores
0
value 2.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://vaadin.com/security/cve-2021-33604
1
reference_url https://github.com/advisories/GHSA-8vfw-v2jv-9hwc
reference_id GHSA-8vfw-v2jv-9hwc
reference_type
scores
url https://github.com/advisories/GHSA-8vfw-v2jv-9hwc
2
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-8vfw-v2jv-9hwc
reference_id GHSA-8vfw-v2jv-9hwc
reference_type
scores
0
value 2.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-8vfw-v2jv-9hwc
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@2.6.2
purl pkg:maven/com.vaadin/flow-server@2.6.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-qdgn-1rqg-vuae
1
vulnerability VCID-tfwa-kphb-j3b8
2
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@2.6.2
1
url pkg:maven/com.vaadin/flow-server@6.0.10
purl pkg:maven/com.vaadin/flow-server@6.0.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-qdgn-1rqg-vuae
1
vulnerability VCID-tfwa-kphb-j3b8
2
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@6.0.10
aliases GHSA-8vfw-v2jv-9hwc, GMS-2021-140
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rqmz-fd9j-ykea
6
url VCID-tfwa-kphb-j3b8
vulnerability_id VCID-tfwa-kphb-j3b8
summary 
Exposure of Sensitive Information to an Unauthorized Actor
Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-25500
reference_id
reference_type
scores
0
value 0.00305
scoring_system epss
scoring_elements 0.54125
published_at 2026-06-05T12:55:00Z
1
value 0.00305
scoring_system epss
scoring_elements 0.54068
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-25500
1
reference_url https://github.com/vaadin/flow/pull/16935
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T19:59:24Z/
url https://github.com/vaadin/flow/pull/16935
2
reference_url https://github.com/vaadin/platform
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/platform
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-25500
reference_id CVE-2023-25500
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-25500
4
reference_url https://vaadin.com/security/cve-2023-25500
reference_id CVE-2023-25500
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-05T19:59:24Z/
url https://vaadin.com/security/cve-2023-25500
5
reference_url https://github.com/advisories/GHSA-ch48-9r3q-pv7x
reference_id GHSA-ch48-9r3q-pv7x
reference_type
scores
url https://github.com/advisories/GHSA-ch48-9r3q-pv7x
6
reference_url https://github.com/vaadin/platform/security/advisories/GHSA-ch48-9r3q-pv7x
reference_id GHSA-ch48-9r3q-pv7x
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/platform/security/advisories/GHSA-ch48-9r3q-pv7x
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@2.9.3
purl pkg:maven/com.vaadin/flow-server@2.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@2.9.3
1
url pkg:maven/com.vaadin/flow-server@9.1.2
purl pkg:maven/com.vaadin/flow-server@9.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@9.1.2
2
url pkg:maven/com.vaadin/flow-server@23.3.13
purl pkg:maven/com.vaadin/flow-server@23.3.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@23.3.13
3
url pkg:maven/com.vaadin/flow-server@24.0.9
purl pkg:maven/com.vaadin/flow-server@24.0.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@24.0.9
4
url pkg:maven/com.vaadin/flow-server@24.1.0
purl pkg:maven/com.vaadin/flow-server@24.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@24.1.0
aliases CVE-2023-25500, GHSA-ch48-9r3q-pv7x
risk_score 1.6
exploitability 0.5
weighted_severity 3.1
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tfwa-kphb-j3b8
7
url VCID-y1d5-d3uj-5qhm
vulnerability_id VCID-y1d5-d3uj-5qhm
summary 
Vaadin Vulnerable to Authentication Bypass When Accessing the /VAADIN Endpoint Without a Trailing Slash
An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.

Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.

Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer.

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and users should update either to the latest 14, 23, 24, 25 version.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2742.json
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2742.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-2742
reference_id
reference_type
scores
0
value 0.00418
scoring_system epss
scoring_elements 0.62222
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-2742
2
reference_url https://github.com/vaadin/flow
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow
3
reference_url https://github.com/vaadin/flow/pull/22998
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://github.com/vaadin/flow/pull/22998
4
reference_url https://github.com/vaadin/flow/pull/23033
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://github.com/vaadin/flow/pull/23033
5
reference_url https://github.com/vaadin/flow/pull/23034
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://github.com/vaadin/flow/pull/23034
6
reference_url https://github.com/vaadin/flow/pull/23037
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://github.com/vaadin/flow/pull/23037
7
reference_url https://github.com/vaadin/flow/pull/23052
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://github.com/vaadin/flow/pull/23052
8
reference_url https://github.com/vaadin/flow/pull/23057
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://github.com/vaadin/flow/pull/23057
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2446005
reference_id 2446005
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2446005
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-2742
reference_id CVE-2026-2742
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-2742
11
reference_url https://vaadin.com/security/cve-2026-2742
reference_id CVE-2026-2742
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://vaadin.com/security/cve-2026-2742
12
reference_url https://github.com/advisories/GHSA-rjgh-wgc7-m37j
reference_id GHSA-rjgh-wgc7-m37j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rjgh-wgc7-m37j
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@14.14.1
purl pkg:maven/com.vaadin/flow-server@14.14.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@14.14.1
1
url pkg:maven/com.vaadin/flow-server@23.6.7
purl pkg:maven/com.vaadin/flow-server@23.6.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@23.6.7
2
url pkg:maven/com.vaadin/flow-server@24.9.8
purl pkg:maven/com.vaadin/flow-server@24.9.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@24.9.8
3
url pkg:maven/com.vaadin/flow-server@25.0.2
purl pkg:maven/com.vaadin/flow-server@25.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@25.0.2
aliases CVE-2026-2742, GHSA-rjgh-wgc7-m37j
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y1d5-d3uj-5qhm
8
url VCID-yu3h-ecpv-qyhu
vulnerability_id VCID-yu3h-ecpv-qyhu
summary 
Exposure of Resource to Wrong Sphere
A vulnerability in the OSGi integration in `com.vaadin:flow-server` allows attackers to access application classes and resources on the server via crafted HTTP request.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-31407
reference_id
reference_type
scores
0
value 0.01802
scoring_system epss
scoring_elements 0.83164
published_at 2026-06-05T12:55:00Z
1
value 0.01802
scoring_system epss
scoring_elements 0.83139
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-31407
1
reference_url https://github.com/vaadin/flow
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow
2
reference_url https://github.com/vaadin/flow/pull/10229
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/pull/10229
3
reference_url https://github.com/vaadin/flow/pull/10269
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/pull/10269
4
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-25xc-jwfq-39jw
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-25xc-jwfq-39jw
5
reference_url https://github.com/vaadin/osgi/issues/50
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/osgi/issues/50
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-31407
reference_id CVE-2021-31407
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-31407
7
reference_url https://vaadin.com/security/cve-2021-31407
reference_id CVE-2021-31407
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://vaadin.com/security/cve-2021-31407
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@2.4.8
purl pkg:maven/com.vaadin/flow-server@2.4.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jxzf-6sus-t7et
1
vulnerability VCID-kkf3-sqmf-f3ft
2
vulnerability VCID-qdgn-1rqg-vuae
3
vulnerability VCID-rqmz-fd9j-ykea
4
vulnerability VCID-tfwa-kphb-j3b8
5
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@2.4.8
1
url pkg:maven/com.vaadin/flow-server@6.0.1
purl pkg:maven/com.vaadin/flow-server@6.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jxzf-6sus-t7et
1
vulnerability VCID-kkf3-sqmf-f3ft
2
vulnerability VCID-qdgn-1rqg-vuae
3
vulnerability VCID-rqmz-fd9j-ykea
4
vulnerability VCID-tfwa-kphb-j3b8
5
vulnerability VCID-y1d5-d3uj-5qhm
6
vulnerability VCID-yu3h-ecpv-qyhu
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@6.0.1
2
url pkg:maven/com.vaadin/flow-server@6.0.2
purl pkg:maven/com.vaadin/flow-server@6.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jxzf-6sus-t7et
1
vulnerability VCID-kkf3-sqmf-f3ft
2
vulnerability VCID-qdgn-1rqg-vuae
3
vulnerability VCID-rqmz-fd9j-ykea
4
vulnerability VCID-tfwa-kphb-j3b8
5
vulnerability VCID-y1d5-d3uj-5qhm
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@6.0.2
aliases CVE-2021-31407, GHSA-25xc-jwfq-39jw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yu3h-ecpv-qyhu
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@2.1.7