Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-bud2-81n2-wyhc
Vulnerability ID VCID-bud2-81n2-wyhc
Aliases CVE-2021-31411
GHSA-p826-8vhq-h439
Summary Insecure Temporary File Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server allows local users to inject malicious code into frontend resources during application rebuilds.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-379 Creation of Temporary File in Directory with Insecure Permissions
System Score Found at
epss 0.00049 https://api.first.org/data/v1/epss?cve=CVE-2021-31411
cvssv3.1 6.3 https://github.com/vaadin/flow/pull/10640
generic_textual HIGH https://github.com/vaadin/flow/pull/10640
cvssv3.1 6.3 https://github.com/vaadin/platform/security/advisories/GHSA-p826-8vhq-h439
generic_textual HIGH https://github.com/vaadin/platform/security/advisories/GHSA-p826-8vhq-h439
cvssv3.1 6.3 https://nvd.nist.gov/vuln/detail/CVE-2021-31411
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-31411
cvssv3.1 6.3 https://vaadin.com/security/cve-2021-31411
generic_textual HIGH https://vaadin.com/security/cve-2021-31411
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2021-31411
https://github.com/vaadin/flow/pull/10640
CVE-2021-31411 https://nvd.nist.gov/vuln/detail/CVE-2021-31411
CVE-2021-31411 https://vaadin.com/security/cve-2021-31411
GHSA-p826-8vhq-h439 https://github.com/advisories/GHSA-p826-8vhq-h439
GHSA-p826-8vhq-h439 https://github.com/vaadin/platform/security/advisories/GHSA-p826-8vhq-h439
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/vaadin/flow/pull/10640
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/vaadin/platform/security/advisories/GHSA-p826-8vhq-h439
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-31411
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://vaadin.com/security/cve-2021-31411
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.15538
EPSS Score 0.00049
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:21:08.454093+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.vaadin/flow/CVE-2021-31411.yml 38.6.0