VulnerableCode Package Details - pkg:maven/com.vaadin/flow-server@2.0.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:maven/com.vaadin/flow-server@2.0.0

Essentials
History (4)

purl	pkg:maven/com.vaadin/flow-server@2.0.0

Next non-vulnerable version	2.4.8
Latest non-vulnerable version	25.0.2
Risk	3.1

Vulnerabilities affecting this package (4)

Vulnerability	Summary	Fixed by
VCID-5nk4-urbw-suee Aliases: CVE-2020-36321 GHSA-49r2-73m6-pp8f	Path Traversal Improper URL validation in development mode handler in `com.vaadin:flow-server` allows attacker to request arbitrary files stored outside of intended frontend resources folder.	2.4.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.0.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.0.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hqrf-7nbq-9bdw Aliases: CVE-2021-31404 GHSA-xwg3-qrcg-w9x6	Information Exposure Through Discrepancy A non-constant-time comparison of CSRF tokens in UIDL request handler in `com.vaadin:flow-server` allows attacker to guess a security token via timing attack.	2.4.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.0.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.0.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-rqmz-fd9j-ykea Aliases: GHSA-8vfw-v2jv-9hwc GMS-2021-140	Improper Neutralization in com.vaadin:flow-server.	2.6.2 Affected by 0 other vulnerabilities. 6.0.10 Affected by 0 other vulnerabilities.
VCID-yu3h-ecpv-qyhu Aliases: CVE-2021-31407 GHSA-25xc-jwfq-39jw	Exposure of Resource to Wrong Sphere A vulnerability in the OSGi integration in `com.vaadin:flow-server` allows attackers to access application classes and resources on the server via crafted HTTP request.	2.4.8 Affected by 0 other vulnerabilities. 6.0.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 6.0.2 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:50:05.872482+00:00	GitLab Importer	Affected by	VCID-yu3h-ecpv-qyhu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow-server/CVE-2021-31407.yml	38.6.0
2026-06-04T16:21:34.596737+00:00	GitLab Importer	Affected by	VCID-rqmz-fd9j-ykea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow-server/GMS-2021-140.yml	38.6.0
2026-06-04T16:21:06.104346+00:00	GitLab Importer	Affected by	VCID-5nk4-urbw-suee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow-server/CVE-2020-36321.yml	38.6.0
2026-06-04T16:21:05.979210+00:00	GitLab Importer	Affected by	VCID-hqrf-7nbq-9bdw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow-server/CVE-2021-31404.yml	38.6.0