Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/com.vaadin/flow-server@3.0.1
Typemaven
Namespacecom.vaadin
Nameflow-server
Version3.0.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.0.10
Latest_non_vulnerable_version25.0.2
Affected_by_vulnerabilities
0
url VCID-2fz6-rucr-xqax
vulnerability_id VCID-2fz6-rucr-xqax
summary 
Information Exposure Through Discrepancy
Non-constant-time comparison of CSRF tokens in endpoint request handler allows attacker to guess a security token for Fusion endpoints via timing attack.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-31406
reference_id
reference_type
scores
0
value 0.00054
scoring_system epss
scoring_elements 0.1721
published_at 2026-06-04T12:55:00Z
1
value 0.00054
scoring_system epss
scoring_elements 0.17288
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-31406
1
reference_url https://github.com/vaadin/flow/pull/10157
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/pull/10157
2
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-p7jq-v8jp-j424
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-p7jq-v8jp-j424
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-31406
reference_id CVE-2021-31406
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-31406
4
reference_url https://vaadin.com/security/cve-2021-31406
reference_id CVE-2021-31406
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://vaadin.com/security/cve-2021-31406
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@5.0.4
purl pkg:maven/com.vaadin/flow-server@5.0.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jxzf-6sus-t7et
1
vulnerability VCID-kkf3-sqmf-f3ft
2
vulnerability VCID-rqmz-fd9j-ykea
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@5.0.4
1
url pkg:maven/com.vaadin/flow-server@6.0.1
purl pkg:maven/com.vaadin/flow-server@6.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jxzf-6sus-t7et
1
vulnerability VCID-kkf3-sqmf-f3ft
2
vulnerability VCID-rqmz-fd9j-ykea
3
vulnerability VCID-yu3h-ecpv-qyhu
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@6.0.1
aliases CVE-2021-31406, GHSA-p7jq-v8jp-j424
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2fz6-rucr-xqax
1
url VCID-5nk4-urbw-suee
vulnerability_id VCID-5nk4-urbw-suee
summary 
Path Traversal
Improper URL validation in development mode handler in `com.vaadin:flow-server` allows attacker to request arbitrary files stored outside of intended frontend resources folder.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-36321
reference_id
reference_type
scores
0
value 0.00551
scoring_system epss
scoring_elements 0.68345
published_at 2026-06-04T12:55:00Z
1
value 0.00551
scoring_system epss
scoring_elements 0.68387
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-36321
1
reference_url https://github.com/vaadin/flow/pull/9392
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/pull/9392
2
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-49r2-73m6-pp8f
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-49r2-73m6-pp8f
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-36321
reference_id CVE-2020-36321
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-36321
4
reference_url https://vaadin.com/security/cve-2020-36321
reference_id CVE-2020-36321
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://vaadin.com/security/cve-2020-36321
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@4.0.1
purl pkg:maven/com.vaadin/flow-server@4.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2fz6-rucr-xqax
1
vulnerability VCID-jxzf-6sus-t7et
2
vulnerability VCID-kkf3-sqmf-f3ft
3
vulnerability VCID-rqmz-fd9j-ykea
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@4.0.1
1
url pkg:maven/com.vaadin/flow-server@5.0.0
purl pkg:maven/com.vaadin/flow-server@5.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2fz6-rucr-xqax
1
vulnerability VCID-hqrf-7nbq-9bdw
2
vulnerability VCID-jxzf-6sus-t7et
3
vulnerability VCID-kkf3-sqmf-f3ft
4
vulnerability VCID-rqmz-fd9j-ykea
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@5.0.0
aliases CVE-2020-36321, GHSA-49r2-73m6-pp8f
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5nk4-urbw-suee
2
url VCID-hqrf-7nbq-9bdw
vulnerability_id VCID-hqrf-7nbq-9bdw
summary 
Information Exposure Through Discrepancy
A non-constant-time comparison of CSRF tokens in UIDL request handler in `com.vaadin:flow-server` allows attacker to guess a security token via timing attack.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-31404
reference_id
reference_type
scores
0
value 0.00045
scoring_system epss
scoring_elements 0.14389
published_at 2026-06-04T12:55:00Z
1
value 0.00045
scoring_system epss
scoring_elements 0.14459
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-31404
1
reference_url https://github.com/vaadin/flow/pull/9875
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/pull/9875
2
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-xwg3-qrcg-w9x6
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-xwg3-qrcg-w9x6
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-31404
reference_id CVE-2021-31404
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-31404
4
reference_url https://vaadin.com/security/cve-2021-31404
reference_id CVE-2021-31404
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://vaadin.com/security/cve-2021-31404
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@4.0.1
purl pkg:maven/com.vaadin/flow-server@4.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2fz6-rucr-xqax
1
vulnerability VCID-jxzf-6sus-t7et
2
vulnerability VCID-kkf3-sqmf-f3ft
3
vulnerability VCID-rqmz-fd9j-ykea
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@4.0.1
1
url pkg:maven/com.vaadin/flow-server@5.0.3
purl pkg:maven/com.vaadin/flow-server@5.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2fz6-rucr-xqax
1
vulnerability VCID-jxzf-6sus-t7et
2
vulnerability VCID-kkf3-sqmf-f3ft
3
vulnerability VCID-rqmz-fd9j-ykea
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@5.0.3
aliases CVE-2021-31404, GHSA-xwg3-qrcg-w9x6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hqrf-7nbq-9bdw
3
url VCID-jxzf-6sus-t7et
vulnerability_id VCID-jxzf-6sus-t7et
summary 
Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19
Insecure temporary directory usage in frontend build functionality of `com.vaadin:flow-server` versions 2.0.9 through 2.5.2 (Vaadin 14.0.3 through Vaadin 14.5.2), 3.0 prior to 6.0 (Vaadin 15 prior to 19), and 6.0.0 through 6.0.5 (Vaadin 19.0.0 through 19.0.4) allows local users to inject malicious code into frontend resources during application rebuilds.

- https://vaadin.com/security/cve-2021-31411
references
0
reference_url https://github.com/vaadin/flow
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow
1
reference_url https://github.com/advisories/GHSA-c57f-4vp2-jqhm
reference_id GHSA-c57f-4vp2-jqhm
reference_type
scores
url https://github.com/advisories/GHSA-c57f-4vp2-jqhm
2
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-c57f-4vp2-jqhm
reference_id GHSA-c57f-4vp2-jqhm
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-c57f-4vp2-jqhm
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@6.0.6
purl pkg:maven/com.vaadin/flow-server@6.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kkf3-sqmf-f3ft
1
vulnerability VCID-rqmz-fd9j-ykea
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@6.0.6
aliases GHSA-c57f-4vp2-jqhm, GMS-2021-141
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jxzf-6sus-t7et
4
url VCID-kkf3-sqmf-f3ft
vulnerability_id VCID-kkf3-sqmf-f3ft
summary 
Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19
Improper sanitization of path in default `RouteNotFoundError` view in `com.vaadin:flow-server` versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for `NotFoundException` is provided.
references
0
reference_url https://vaadin.com/security/cve-2021-31412
reference_id CVE-2021-31412
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://vaadin.com/security/cve-2021-31412
1
reference_url https://github.com/advisories/GHSA-fr26-qjc8-mvjx
reference_id GHSA-fr26-qjc8-mvjx
reference_type
scores
url https://github.com/advisories/GHSA-fr26-qjc8-mvjx
2
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-fr26-qjc8-mvjx
reference_id GHSA-fr26-qjc8-mvjx
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-fr26-qjc8-mvjx
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@6.0.10
purl pkg:maven/com.vaadin/flow-server@6.0.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@6.0.10
aliases GHSA-fr26-qjc8-mvjx, GMS-2021-142
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kkf3-sqmf-f3ft
5
url VCID-pxwc-zts8-wkh1
vulnerability_id VCID-pxwc-zts8-wkh1
summary 
Information Exposure
Insecure configuration of default ObjectMapper in `com.vaadin:flow-server` may expose sensitive data if the application also uses `@RestController`
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-36319
reference_id
reference_type
scores
0
value 0.0039
scoring_system epss
scoring_elements 0.60423
published_at 2026-06-05T12:55:00Z
1
value 0.0039
scoring_system epss
scoring_elements 0.60376
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-36319
1
reference_url https://github.com/vaadin/flow
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow
2
reference_url https://github.com/vaadin/flow/pull/8016
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/pull/8016
3
reference_url https://github.com/vaadin/flow/pull/8051
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/pull/8051
4
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-rjww-2x8v-m9v9
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-rjww-2x8v-m9v9
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-36319
reference_id CVE-2020-36319
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-36319
6
reference_url https://vaadin.com/security/cve-2020-36319
reference_id CVE-2020-36319
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://vaadin.com/security/cve-2020-36319
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@3.0.6
purl pkg:maven/com.vaadin/flow-server@3.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2fz6-rucr-xqax
1
vulnerability VCID-5nk4-urbw-suee
2
vulnerability VCID-hqrf-7nbq-9bdw
3
vulnerability VCID-jxzf-6sus-t7et
4
vulnerability VCID-kkf3-sqmf-f3ft
5
vulnerability VCID-rqmz-fd9j-ykea
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@3.0.6
aliases CVE-2020-36319, GHSA-rjww-2x8v-m9v9
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pxwc-zts8-wkh1
6
url VCID-rqmz-fd9j-ykea
vulnerability_id VCID-rqmz-fd9j-ykea
summary Improper Neutralization in com.vaadin:flow-server.
references
0
reference_url https://vaadin.com/security/cve-2021-33604
reference_id CVE-2021-33604
reference_type
scores
0
value 2.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://vaadin.com/security/cve-2021-33604
1
reference_url https://github.com/advisories/GHSA-8vfw-v2jv-9hwc
reference_id GHSA-8vfw-v2jv-9hwc
reference_type
scores
url https://github.com/advisories/GHSA-8vfw-v2jv-9hwc
2
reference_url https://github.com/vaadin/flow/security/advisories/GHSA-8vfw-v2jv-9hwc
reference_id GHSA-8vfw-v2jv-9hwc
reference_type
scores
0
value 2.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow/security/advisories/GHSA-8vfw-v2jv-9hwc
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@6.0.10
purl pkg:maven/com.vaadin/flow-server@6.0.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@6.0.10
aliases GHSA-8vfw-v2jv-9hwc, GMS-2021-140
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rqmz-fd9j-ykea
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@3.0.1