Vulnerability-Lookup

CVE-2025-15022 (GCVE-0-2025-15022)

Vulnerability from cvelistv5 – Published: 2026-01-05 07:52 – Updated: 2026-01-05 21:11

Title

Cross-site scripting in Action caption

Summary

Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility. In Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist. Vaadin 14 is not affected as Spreadsheet component was not supported. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 7.0.0 - 7.7.49 Vaadin 8.0.0 - 8.29.1 Vaadin 23.1.0 - 23.6.5 Vaadin 24.0.0 - 24.8.13 Vaadin 24.9.0 - 24.9.6 Mitigation Upgrade to 7.7.50 Upgrade to 8.30.0 Upgrade to 23.6.6 Upgrade to 24.8.14 or 24.9.7 Upgrade to 25.0.0 or newer Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server 7.0.0 - 7.7.49 ≥7.7.50 com.vaadin:vaadin-server 8.0.0 - 8.29.1 ≥8.30.0 com.vaadin:vaadin 23.1.0 - 23.6.5 ≥23.6.6 com.vaadin:vaadin24.0.0 - 24.8.13 ≥24.8.14 com.vaadin:vaadin24.9.0 - 24.9.6 ≥24.9.7 com.vaadin:vaadin-spreadsheet-flow 23.1.0 - 23.6.5 ≥23.6.6 com.vaadin:vaadin-spreadsheet-flow 24.0.0 - 24.8.13 ≥24.8.14 com.vaadin:vaadin-spreadsheet-flow 24.9.0 - 24.9.6 ≥24.9.7

Severity ?

4.8 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Amber

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

Assigner

Vaadin

References

URL

Tags

	https://vaadin.com/security/cve-2025-15022
	https://github.com/vaadin/flow-components/pull/8285

Impacted products

Vendor

Product

Version

vaadin

Affected: 23.1.0 , ≤ 23.6.5 (maven)
Affected: 24.0.0 , ≤ 24.8.13 (maven)
Affected: 24.9.0 , ≤ 24.9.6 (maven)

	vaadin	framework	Affected: 7.0.0 , ≤ 7.7.49 (maven) Affected: 8.0.0 , ≤ 8.29.1 (maven)
	vaadin	vaadin-spreadsheet-flow	Affected: 23.1.0 , ≤ 23.6.5 (maven) Affected: 24.0.0 , ≤ 24.8.13 (maven) Affected: 24.9.0 , ≤ 24.9.6 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-15022",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-05T21:11:20.251254Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-05T21:11:31.883Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:vaadin",
          "product": "vaadin",
          "repo": "https://github.com/vaadin/platform",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "23.6.5",
              "status": "affected",
              "version": "23.1.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.8.13",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.9.6",
              "status": "affected",
              "version": "24.9.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:vaadin-server",
          "product": "framework",
          "repo": "https://github.com/vaadin/framework",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "7.7.49",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "8.29.1",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "com.vaadin:vaadin-spreadsheet-flow",
          "product": "vaadin-spreadsheet-flow",
          "repo": "https://github.com/vaadin/flow-components",
          "vendor": "vaadin",
          "versions": [
            {
              "lessThanOrEqual": "23.6.5",
              "status": "affected",
              "version": "23.1.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.8.13",
              "status": "affected",
              "version": "24.0.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "24.9.6",
              "status": "affected",
              "version": "24.9.0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eAction captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.\u003cbr\u003e\u003cbr\u003eIn Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.\u003cbr\u003e\u003cbr\u003eIn Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.\u003cbr\u003e\u003cbr\u003eVaadin 14 is not affected as Spreadsheet component was not supported.\u003cbr\u003e\u003cbr\u003eUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\u003cbr\u003e\u003cbr\u003eProduct version\u003cbr\u003eVaadin 7.0.0 - 7.7.49\u003cbr\u003eVaadin 8.0.0 - 8.29.1\u003cbr\u003eVaadin 23.1.0 - 23.6.5\u003cbr\u003eVaadin 24.0.0 - 24.8.13\u003cbr\u003eVaadin 24.9.0 - 24.9.6\u003cbr\u003e\u003cbr\u003eMitigation\u003cbr\u003eUpgrade to 7.7.50\u003cbr\u003eUpgrade to 8.30.0\u003cbr\u003eUpgrade to 23.6.6\u003cbr\u003eUpgrade to 24.8.14 or 24.9.7\u003cbr\u003eUpgrade to 25.0.0 or newer\u003cbr\u003e\u003cbr\u003eArtifacts\u0026nbsp; \u0026nbsp; \u0026nbsp;\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMaven coordinates\u003c/td\u003e\u003ctd\u003eVulnerable versions\u003c/td\u003e\u003ctd\u003eFixed version\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-server\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e7.0.0 - 7.7.49\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u22657.7.50\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-server\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e8.0.0 - 8.29.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u22658.30.0\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e23.1.0 - 23.6.5\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226523.6.6\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.8.13\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226524.8.14\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003c/td\u003e\u003ctd\u003e24.9.0 - 24.9.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226524.9.7\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-spreadsheet-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e23.1.0 - 23.6.5\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226523.6.6\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-spreadsheet-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.8.13\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226524.8.14\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-spreadsheet-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e24.9.0 - 24.9.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u226524.9.7\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.\n\nIn Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.\n\nIn Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.\n\nVaadin 14 is not affected as Spreadsheet component was not supported.\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 7.0.0 - 7.7.49\nVaadin 8.0.0 - 8.29.1\nVaadin 23.1.0 - 23.6.5\nVaadin 24.0.0 - 24.8.13\nVaadin 24.9.0 - 24.9.6\n\nMitigation\nUpgrade to 7.7.50\nUpgrade to 8.30.0\nUpgrade to 23.6.6\nUpgrade to 24.8.14 or 24.9.7\nUpgrade to 25.0.0 or newer\n\nArtifacts\u00a0 \u00a0 \u00a0Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server\n7.0.0 - 7.7.49\n\u22657.7.50\ncom.vaadin:vaadin-server\n8.0.0 - 8.29.1\n\u22658.30.0\ncom.vaadin:vaadin\n23.1.0 - 23.6.5\n\u226523.6.6\ncom.vaadin:vaadin24.0.0 - 24.8.13\n\u226524.8.14\ncom.vaadin:vaadin24.9.0 - 24.9.6\n\u226524.9.7\ncom.vaadin:vaadin-spreadsheet-flow\n23.1.0 - 23.6.5\n\u226523.6.6\ncom.vaadin:vaadin-spreadsheet-flow\n24.0.0 - 24.8.13\n\u226524.8.14\ncom.vaadin:vaadin-spreadsheet-flow\n24.9.0 - 24.9.6\n\u226524.9.7"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-86",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-86 XSS Through HTTP Headers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T07:52:56.478Z",
        "orgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
        "shortName": "Vaadin"
      },
      "references": [
        {
          "url": "https://vaadin.com/security/cve-2025-15022"
        },
        {
          "url": "https://github.com/vaadin/flow-components/pull/8285"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
            }
          ],
          "value": "Users of affected versions should apply the following mitigation or upgrade."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Cross-site scripting in Action caption",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003eEnsure that Action captions are not derived from untrusted user input, or manually sanitize any user-provided content before using it as an Action caption.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e"
            }
          ],
          "value": "Ensure that Action captions are not derived from untrusted user input, or manually sanitize any user-provided content before using it as an Action caption."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9e0f3122-90e9-42d5-93de-8c6b98deef7e",
    "assignerShortName": "Vaadin",
    "cveId": "CVE-2025-15022",
    "datePublished": "2026-01-05T07:52:56.478Z",
    "dateReserved": "2025-12-22T07:12:40.732Z",
    "dateUpdated": "2026-01-05T21:11:31.883Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-15022\",\"sourceIdentifier\":\"security@vaadin.com\",\"published\":\"2026-01-05T08:15:56.993\",\"lastModified\":\"2026-01-08T18:09:49.800\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.\\n\\nIn Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.\\n\\nIn Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.\\n\\nVaadin 14 is not affected as Spreadsheet component was not supported.\\n\\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\\n\\nProduct version\\nVaadin 7.0.0 - 7.7.49\\nVaadin 8.0.0 - 8.29.1\\nVaadin 23.1.0 - 23.6.5\\nVaadin 24.0.0 - 24.8.13\\nVaadin 24.9.0 - 24.9.6\\n\\nMitigation\\nUpgrade to 7.7.50\\nUpgrade to 8.30.0\\nUpgrade to 23.6.6\\nUpgrade to 24.8.14 or 24.9.7\\nUpgrade to 25.0.0 or newer\\n\\nArtifacts\u00a0 \u00a0 \u00a0Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server\\n7.0.0 - 7.7.49\\n\u22657.7.50\\ncom.vaadin:vaadin-server\\n8.0.0 - 8.29.1\\n\u22658.30.0\\ncom.vaadin:vaadin\\n23.1.0 - 23.6.5\\n\u226523.6.6\\ncom.vaadin:vaadin24.0.0 - 24.8.13\\n\u226524.8.14\\ncom.vaadin:vaadin24.9.0 - 24.9.6\\n\u226524.9.7\\ncom.vaadin:vaadin-spreadsheet-flow\\n23.1.0 - 23.6.5\\n\u226523.6.6\\ncom.vaadin:vaadin-spreadsheet-flow\\n24.0.0 - 24.8.13\\n\u226524.8.14\\ncom.vaadin:vaadin-spreadsheet-flow\\n24.9.0 - 24.9.6\\n\u226524.9.7\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@vaadin.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Amber\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NEGLIGIBLE\",\"Automatable\":\"NO\",\"Recovery\":\"USER\",\"valueDensity\":\"DIFFUSE\",\"vulnerabilityResponseEffort\":\"LOW\",\"providerUrgency\":\"AMBER\"}}]},\"weaknesses\":[{\"source\":\"security@vaadin.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/vaadin/flow-components/pull/8285\",\"source\":\"security@vaadin.com\"},{\"url\":\"https://vaadin.com/security/cve-2025-15022\",\"source\":\"security@vaadin.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-15022\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-05T21:11:20.251254Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-05T21:11:27.172Z\"}}], \"cna\": {\"title\": \"Cross-site scripting in Action caption\", \"source\": {\"discovery\": \"INTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-86\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-86 XSS Through HTTP Headers\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NEGLIGIBLE\", \"version\": \"4.0\", \"Recovery\": \"USER\", \"baseScore\": 4.8, \"Automatable\": \"NO\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"DIFFUSE\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Amber\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"AMBER\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/vaadin/platform\", \"vendor\": \"vaadin\", \"product\": \"vaadin\", \"versions\": [{\"status\": \"affected\", \"version\": \"23.1.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"23.6.5\"}, {\"status\": \"affected\", \"version\": \"24.0.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"24.8.13\"}, {\"status\": \"affected\", \"version\": \"24.9.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"24.9.6\"}], \"packageName\": \"com.vaadin:vaadin\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://github.com/vaadin/framework\", \"vendor\": \"vaadin\", \"product\": \"framework\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"7.7.49\"}, {\"status\": \"affected\", \"version\": \"8.0.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"8.29.1\"}], \"packageName\": \"com.vaadin:vaadin-server\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://github.com/vaadin/flow-components\", \"vendor\": \"vaadin\", \"product\": \"vaadin-spreadsheet-flow\", \"versions\": [{\"status\": \"affected\", \"version\": \"23.1.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"23.6.5\"}, {\"status\": \"affected\", \"version\": \"24.0.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"24.8.13\"}, {\"status\": \"affected\", \"version\": \"24.9.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"24.9.6\"}], \"packageName\": \"com.vaadin:vaadin-spreadsheet-flow\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Users of affected versions should apply the following mitigation or upgrade.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cb\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003eUsers of affected versions should apply the following mitigation or upgrade.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://vaadin.com/security/cve-2025-15022\"}, {\"url\": \"https://github.com/vaadin/flow-components/pull/8285\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Ensure that Action captions are not derived from untrusted user input, or manually sanitize any user-provided content before using it as an Action caption.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cb\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003eEnsure that Action captions are not derived from untrusted user input, or manually sanitize any user-provided content before using it as an Action caption.\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.\\n\\nIn Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.\\n\\nIn Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.\\n\\nVaadin 14 is not affected as Spreadsheet component was not supported.\\n\\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\\n\\nProduct version\\nVaadin 7.0.0 - 7.7.49\\nVaadin 8.0.0 - 8.29.1\\nVaadin 23.1.0 - 23.6.5\\nVaadin 24.0.0 - 24.8.13\\nVaadin 24.9.0 - 24.9.6\\n\\nMitigation\\nUpgrade to 7.7.50\\nUpgrade to 8.30.0\\nUpgrade to 23.6.6\\nUpgrade to 24.8.14 or 24.9.7\\nUpgrade to 25.0.0 or newer\\n\\nArtifacts\\u00a0 \\u00a0 \\u00a0Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server\\n7.0.0 - 7.7.49\\n\\u22657.7.50\\ncom.vaadin:vaadin-server\\n8.0.0 - 8.29.1\\n\\u22658.30.0\\ncom.vaadin:vaadin\\n23.1.0 - 23.6.5\\n\\u226523.6.6\\ncom.vaadin:vaadin24.0.0 - 24.8.13\\n\\u226524.8.14\\ncom.vaadin:vaadin24.9.0 - 24.9.6\\n\\u226524.9.7\\ncom.vaadin:vaadin-spreadsheet-flow\\n23.1.0 - 23.6.5\\n\\u226523.6.6\\ncom.vaadin:vaadin-spreadsheet-flow\\n24.0.0 - 24.8.13\\n\\u226524.8.14\\ncom.vaadin:vaadin-spreadsheet-flow\\n24.9.0 - 24.9.6\\n\\u226524.9.7\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgba(232, 232, 232, 0.04);\\\"\u003eAction captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.\u003cbr\u003e\u003cbr\u003eIn Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.\u003cbr\u003e\u003cbr\u003eIn Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.\u003cbr\u003e\u003cbr\u003eVaadin 14 is not affected as Spreadsheet component was not supported.\u003cbr\u003e\u003cbr\u003eUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\u003cbr\u003e\u003cbr\u003eProduct version\u003cbr\u003eVaadin 7.0.0 - 7.7.49\u003cbr\u003eVaadin 8.0.0 - 8.29.1\u003cbr\u003eVaadin 23.1.0 - 23.6.5\u003cbr\u003eVaadin 24.0.0 - 24.8.13\u003cbr\u003eVaadin 24.9.0 - 24.9.6\u003cbr\u003e\u003cbr\u003eMitigation\u003cbr\u003eUpgrade to 7.7.50\u003cbr\u003eUpgrade to 8.30.0\u003cbr\u003eUpgrade to 23.6.6\u003cbr\u003eUpgrade to 24.8.14 or 24.9.7\u003cbr\u003eUpgrade to 25.0.0 or newer\u003cbr\u003e\u003cbr\u003eArtifacts\u0026nbsp; \u0026nbsp; \u0026nbsp;\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eMaven coordinates\u003c/td\u003e\u003ctd\u003eVulnerable versions\u003c/td\u003e\u003ctd\u003eFixed version\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-server\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e7.0.0 - 7.7.49\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\\u22657.7.50\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-server\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e8.0.0 - 8.29.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\\u22658.30.0\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e23.1.0 - 23.6.5\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\\u226523.6.6\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.8.13\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\\u226524.8.14\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin\u003c/td\u003e\u003ctd\u003e24.9.0 - 24.9.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\\u226524.9.7\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-spreadsheet-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e23.1.0 - 23.6.5\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\\u226523.6.6\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-spreadsheet-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e24.0.0 - 24.8.13\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\\u226524.8.14\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ecom.vaadin:vaadin-spreadsheet-flow\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e24.9.0 - 24.9.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\\u226524.9.7\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)\"}]}], \"providerMetadata\": {\"orgId\": \"9e0f3122-90e9-42d5-93de-8c6b98deef7e\", \"shortName\": \"Vaadin\", \"dateUpdated\": \"2026-01-05T07:52:56.478Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-15022\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-05T21:11:31.883Z\", \"dateReserved\": \"2025-12-22T07:12:40.732Z\", \"assignerOrgId\": \"9e0f3122-90e9-42d5-93de-8c6b98deef7e\", \"datePublished\": \"2026-01-05T07:52:56.478Z\", \"assignerShortName\": \"Vaadin\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-15022

Vulnerability from fkie_nvd - Published: 2026-01-05 08:15 - Updated: 2026-01-08 18:09

Severity ?

4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Amber

Summary

References

	URL	Tags
	security@vaadin.com	https://github.com/vaadin/flow-components/pull/8285
	security@vaadin.com	https://vaadin.com/security/cve-2025-15022

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.\n\nIn Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.\n\nIn Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.\n\nVaadin 14 is not affected as Spreadsheet component was not supported.\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 7.0.0 - 7.7.49\nVaadin 8.0.0 - 8.29.1\nVaadin 23.1.0 - 23.6.5\nVaadin 24.0.0 - 24.8.13\nVaadin 24.9.0 - 24.9.6\n\nMitigation\nUpgrade to 7.7.50\nUpgrade to 8.30.0\nUpgrade to 23.6.6\nUpgrade to 24.8.14 or 24.9.7\nUpgrade to 25.0.0 or newer\n\nArtifacts\u00a0 \u00a0 \u00a0Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server\n7.0.0 - 7.7.49\n\u22657.7.50\ncom.vaadin:vaadin-server\n8.0.0 - 8.29.1\n\u22658.30.0\ncom.vaadin:vaadin\n23.1.0 - 23.6.5\n\u226523.6.6\ncom.vaadin:vaadin24.0.0 - 24.8.13\n\u226524.8.14\ncom.vaadin:vaadin24.9.0 - 24.9.6\n\u226524.9.7\ncom.vaadin:vaadin-spreadsheet-flow\n23.1.0 - 23.6.5\n\u226523.6.6\ncom.vaadin:vaadin-spreadsheet-flow\n24.0.0 - 24.8.13\n\u226524.8.14\ncom.vaadin:vaadin-spreadsheet-flow\n24.9.0 - 24.9.6\n\u226524.9.7"
    }
  ],
  "id": "CVE-2025-15022",
  "lastModified": "2026-01-08T18:09:49.800",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NO",
          "Recovery": "USER",
          "Safety": "NEGLIGIBLE",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "AMBER",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "ACTIVE",
          "valueDensity": "DIFFUSE",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Amber",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "LOW"
        },
        "source": "security@vaadin.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-05T08:15:56.993",
  "references": [
    {
      "source": "security@vaadin.com",
      "url": "https://github.com/vaadin/flow-components/pull/8285"
    },
    {
      "source": "security@vaadin.com",
      "url": "https://vaadin.com/security/cve-2025-15022"
    }
  ],
  "sourceIdentifier": "security@vaadin.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security@vaadin.com",
      "type": "Secondary"
    }
  ]
}

WID-SEC-W-2026-0003

Vulnerability from csaf_certbund - Published: 2026-01-04 23:00 - Updated: 2026-01-05 23:00

Summary

Vaadin: Schwachstelle ermöglicht Cross-Site Scripting

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Vaadin ist eine Java Web Entwicklungsplattform.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Vaadin ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme

- Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Vaadin ist eine Java Web Entwicklungsplattform.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Vaadin ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0003 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0003.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0003 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0003"
      },
      {
        "category": "external",
        "summary": "Vaadin vulnerability report vom 2026-01-04",
        "url": "https://vaadin.com/security/cve-2025-15022"
      }
    ],
    "source_lang": "en-US",
    "title": "Vaadin: Schwachstelle erm\u00f6glicht Cross-Site Scripting",
    "tracking": {
      "current_release_date": "2026-01-05T23:00:00.000+00:00",
      "generator": {
        "date": "2026-01-06T08:25:33.745+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0003",
      "initial_release_date": "2026-01-04T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-01-04T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-01-05T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-0820"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c7.7.50",
                "product": {
                  "name": "Open Source Vaadin \u003c7.7.50",
                  "product_id": "T049679"
                }
              },
              {
                "category": "product_version",
                "name": "7.7.50",
                "product": {
                  "name": "Open Source Vaadin 7.7.50",
                  "product_id": "T049679-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaadin:vaadin:7.7.50"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.30.0",
                "product": {
                  "name": "Open Source Vaadin \u003c8.30.0",
                  "product_id": "T049680"
                }
              },
              {
                "category": "product_version",
                "name": "8.30.0",
                "product": {
                  "name": "Open Source Vaadin 8.30.0",
                  "product_id": "T049680-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaadin:vaadin:8.30.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c23.6.6",
                "product": {
                  "name": "Open Source Vaadin \u003c23.6.6",
                  "product_id": "T049681"
                }
              },
              {
                "category": "product_version",
                "name": "23.6.6",
                "product": {
                  "name": "Open Source Vaadin 23.6.6",
                  "product_id": "T049681-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaadin:vaadin:23.6.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c24.8.14",
                "product": {
                  "name": "Open Source Vaadin \u003c24.8.14",
                  "product_id": "T049682"
                }
              },
              {
                "category": "product_version",
                "name": "24.8.14",
                "product": {
                  "name": "Open Source Vaadin 24.8.14",
                  "product_id": "T049682-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaadin:vaadin:24.8.14"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c24.9.7",
                "product": {
                  "name": "Open Source Vaadin \u003c24.9.7",
                  "product_id": "T049683"
                }
              },
              {
                "category": "product_version",
                "name": "24.9.7",
                "product": {
                  "name": "Open Source Vaadin 24.9.7",
                  "product_id": "T049683-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vaadin:vaadin:24.9.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Vaadin"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-15022",
      "product_status": {
        "known_affected": [
          "T049682",
          "T049681",
          "T049680",
          "T049683",
          "T049679"
        ]
      },
      "release_date": "2026-01-04T23:00:00.000+00:00",
      "title": "CVE-2025-15022"
    }
  ]
}

GHSA-7WWV-79XW-RVVG

Vulnerability from github – Published: 2026-01-05 09:30 – Updated: 2026-01-05 19:48

Summary

Vaadin vulnerable to Cross-site Scripting

Details

Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.

In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.

In Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.

Vaadin 14 is not affected as Spreadsheet component was not supported.

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Vaadin 7.0.0 - 7.7.49 Vaadin 8.0.0 - 8.29.1 Vaadin 23.1.0 - 23.6.5 Vaadin 24.0.0 - 24.8.13 Vaadin 24.9.0 - 24.9.6

Mitigation Upgrade to 7.7.50 Upgrade to 8.30.0 Upgrade to 23.6.6 Upgrade to 24.8.14 or 24.9.7 Upgrade to 25.0.0 or newer

Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server 7.0.0 - 7.7.49 ≥7.7.50 com.vaadin:vaadin-server 8.0.0 - 8.29.1 ≥8.30.0 com.vaadin:vaadin 23.1.0 - 23.6.5 ≥23.6.6 com.vaadin:vaadin24.0.0 - 24.8.13 ≥24.8.14 com.vaadin:vaadin24.9.0 - 24.9.6 ≥24.9.7 com.vaadin:vaadin-spreadsheet-flow 23.1.0 - 23.6.5 ≥23.6.6 com.vaadin:vaadin-spreadsheet-flow 24.0.0 - 24.8.13 ≥24.8.14 com.vaadin:vaadin-spreadsheet-flow 24.9.0 - 24.9.6 ≥24.9.7

Severity ?

4.8 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.7.50"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.1.0"
            },
            {
              "fixed": "23.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.0.0"
            },
            {
              "fixed": "24.8.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.9.0"
            },
            {
              "fixed": "24.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-spreadsheet-flow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.1.0"
            },
            {
              "fixed": "23.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-spreadsheet-flow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.0.0"
            },
            {
              "fixed": "24.8.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-spreadsheet-flow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.9.0"
            },
            {
              "fixed": "24.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-15022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-05T19:48:50Z",
    "nvd_published_at": "2026-01-05T08:15:56Z",
    "severity": "MODERATE"
  },
  "details": "Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.\n\nIn Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.\n\nIn Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.\n\nVaadin 14 is not affected as Spreadsheet component was not supported.\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 7.0.0 - 7.7.49\nVaadin 8.0.0 - 8.29.1\nVaadin 23.1.0 - 23.6.5\nVaadin 24.0.0 - 24.8.13\nVaadin 24.9.0 - 24.9.6\n\nMitigation\nUpgrade to 7.7.50\nUpgrade to 8.30.0\nUpgrade to 23.6.6\nUpgrade to 24.8.14 or 24.9.7\nUpgrade to 25.0.0 or newer\n\nArtifacts\u00a0 \u00a0 \u00a0Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server\n7.0.0 - 7.7.49\n\u22657.7.50\ncom.vaadin:vaadin-server\n8.0.0 - 8.29.1\n\u22658.30.0\ncom.vaadin:vaadin\n23.1.0 - 23.6.5\n\u226523.6.6\ncom.vaadin:vaadin24.0.0 - 24.8.13\n\u226524.8.14\ncom.vaadin:vaadin24.9.0 - 24.9.6\n\u226524.9.7\ncom.vaadin:vaadin-spreadsheet-flow\n23.1.0 - 23.6.5\n\u226523.6.6\ncom.vaadin:vaadin-spreadsheet-flow\n24.0.0 - 24.8.13\n\u226524.8.14\ncom.vaadin:vaadin-spreadsheet-flow\n24.9.0 - 24.9.6\n\u226524.9.7",
  "id": "GHSA-7wwv-79xw-rvvg",
  "modified": "2026-01-05T19:48:50Z",
  "published": "2026-01-05T09:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15022"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/flow-components/pull/8285"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/flow-components/commit/71046aa3dd08be0907bd03140c33131b94f6e99c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vaadin/flow-components"
    },
    {
      "type": "WEB",
      "url": "https://vaadin.com/security/cve-2025-15022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vaadin vulnerable to Cross-site Scripting"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-15022 (GCVE-0-2025-15022)

FKIE_CVE-2025-15022

WID-SEC-W-2026-0003

GHSA-7WWV-79XW-RVVG

Tags

Sightings

Nomenclature