Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/com.vaadin/flow-server@6.0.1
purl pkg:maven/com.vaadin/flow-server@6.0.1
Next non-vulnerable version 6.0.10
Latest non-vulnerable version 25.0.2
Risk 4.0
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-jxzf-6sus-t7et
Aliases:
GHSA-c57f-4vp2-jqhm
GMS-2021-141
Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19 Insecure temporary directory usage in frontend build functionality of `com.vaadin:flow-server` versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds. - https://vaadin.com/security/cve-2021-31411
6.0.6
Affected by 2 other vulnerabilities.
VCID-kkf3-sqmf-f3ft
Aliases:
GHSA-fr26-qjc8-mvjx
GMS-2021-142
Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19 Improper sanitization of path in default `RouteNotFoundError` view in `com.vaadin:flow-server` versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for `NotFoundException` is provided.
6.0.10
Affected by 0 other vulnerabilities.
VCID-rqmz-fd9j-ykea
Aliases:
GHSA-8vfw-v2jv-9hwc
GMS-2021-140
Improper Neutralization in com.vaadin:flow-server.
6.0.10
Affected by 0 other vulnerabilities.
VCID-yu3h-ecpv-qyhu
Aliases:
CVE-2021-31407
GHSA-25xc-jwfq-39jw
Exposure of Resource to Wrong Sphere A vulnerability in the OSGi integration in `com.vaadin:flow-server` allows attackers to access application classes and resources on the server via crafted HTTP request.
6.0.2
Affected by 3 other vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-2fz6-rucr-xqax Information Exposure Through Discrepancy Non-constant-time comparison of CSRF tokens in endpoint request handler allows attacker to guess a security token for Fusion endpoints via timing attack. CVE-2021-31406
GHSA-p7jq-v8jp-j424
VCID-yu3h-ecpv-qyhu Exposure of Resource to Wrong Sphere A vulnerability in the OSGi integration in `com.vaadin:flow-server` allows attackers to access application classes and resources on the server via crafted HTTP request. CVE-2021-31407
GHSA-25xc-jwfq-39jw

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T01:02:56.928001+00:00 GitLab Importer Affected by VCID-kkf3-sqmf-f3ft https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow-server/GMS-2021-142.yml 38.6.0
2026-06-06T00:47:06.910343+00:00 GitLab Importer Affected by VCID-rqmz-fd9j-ykea https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow-server/GMS-2021-140.yml 38.6.0
2026-06-06T00:35:50.016263+00:00 GitLab Importer Affected by VCID-jxzf-6sus-t7et https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow-server/GMS-2021-141.yml 38.6.0
2026-06-04T17:26:44.222363+00:00 GithubOSV Importer Fixing VCID-yu3h-ecpv-qyhu https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-25xc-jwfq-39jw/GHSA-25xc-jwfq-39jw.json 38.6.0
2026-06-04T17:26:18.936796+00:00 GithubOSV Importer Fixing VCID-2fz6-rucr-xqax https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-p7jq-v8jp-j424/GHSA-p7jq-v8jp-j424.json 38.6.0
2026-06-04T16:21:06.185003+00:00 GitLab Importer Affected by VCID-yu3h-ecpv-qyhu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow-server/CVE-2021-31407.yml 38.6.0