Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/com.vaadin/flow-server@24.4.6
Typemaven
Namespacecom.vaadin
Nameflow-server
Version24.4.6
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version24.9.8
Latest_non_vulnerable_version25.0.2
Affected_by_vulnerabilities
0
url VCID-y1d5-d3uj-5qhm
vulnerability_id VCID-y1d5-d3uj-5qhm
summary 
Vaadin Vulnerable to Authentication Bypass When Accessing the /VAADIN Endpoint Without a Trailing Slash
An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths.

Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization.

Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer.

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and users should update either to the latest 14, 23, 24, 25 version.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2742.json
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2742.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-2742
reference_id
reference_type
scores
0
value 0.00418
scoring_system epss
scoring_elements 0.62203
published_at 2026-06-08T12:55:00Z
1
value 0.00418
scoring_system epss
scoring_elements 0.62222
published_at 2026-06-05T12:55:00Z
2
value 0.00418
scoring_system epss
scoring_elements 0.62229
published_at 2026-06-06T12:55:00Z
3
value 0.00418
scoring_system epss
scoring_elements 0.62219
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-2742
2
reference_url https://github.com/vaadin/flow
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vaadin/flow
3
reference_url https://github.com/vaadin/flow/pull/22998
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://github.com/vaadin/flow/pull/22998
4
reference_url https://github.com/vaadin/flow/pull/23033
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://github.com/vaadin/flow/pull/23033
5
reference_url https://github.com/vaadin/flow/pull/23034
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://github.com/vaadin/flow/pull/23034
6
reference_url https://github.com/vaadin/flow/pull/23037
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://github.com/vaadin/flow/pull/23037
7
reference_url https://github.com/vaadin/flow/pull/23052
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://github.com/vaadin/flow/pull/23052
8
reference_url https://github.com/vaadin/flow/pull/23057
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://github.com/vaadin/flow/pull/23057
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2446005
reference_id 2446005
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2446005
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-2742
reference_id CVE-2026-2742
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-2742
11
reference_url https://vaadin.com/security/cve-2026-2742
reference_id CVE-2026-2742
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T13:42:57Z/
url https://vaadin.com/security/cve-2026-2742
12
reference_url https://github.com/advisories/GHSA-rjgh-wgc7-m37j
reference_id GHSA-rjgh-wgc7-m37j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rjgh-wgc7-m37j
fixed_packages
0
url pkg:maven/com.vaadin/flow-server@24.9.8
purl pkg:maven/com.vaadin/flow-server@24.9.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@24.9.8
1
url pkg:maven/com.vaadin/flow-server@25.0.2
purl pkg:maven/com.vaadin/flow-server@25.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@25.0.2
aliases CVE-2026-2742, GHSA-rjgh-wgc7-m37j
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y1d5-d3uj-5qhm
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/com.vaadin/flow-server@24.4.6