Vaadin
Easy fix7 remedies
cpe:2.3:a:vaadin:vaadin:*:*:*:*:*:*:*
Easy fix7 remedies
- >= 7.0.0, <= 7.7.49
- >= 8.0.0, <= 8.29.1
- >= 23.1.0, <= 23.6.5
- >= 24.0.0, <= 24.8.13
- >= 24.9.0, <= 24.9.6
Vaadin Action Class Cross-Site Scripting Vulnerability
Vulnerability
Patched
A cross-site scripting (XSS) vulnerability has been identified in the Vaadin Framework's Action class, which is used in versions 7 and 8. By default, Action captions can include HTML but were not properly sanitized. This issue could allow XSS attacks if the caption content comes from user input. In Vaadin 23 and newer, this vulnerability affects only the Spreadsheet component, as the Action class is no longer used by other components. Vaadin 14 is not affected because the Spreadsheet component was not supported.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.
Remediation
Users should upgrade to Vaadin versions 7.7.50, 8.30.0, 23.6.6, 24.8.14, 24.9.7, or 25.0.0 and newer. For versions 23.1.0 - 23.6.5 and 24.0.0 - 24.8.13, the upgrade to 24.9.0 - 24.9.6 is also available.
Added: Jan 5, 2026, 8:21 AM
Updated: Jan 5, 2026, 8:21 AM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
1.7exploitability
3.0remediation
7.9relevance
1.9threat
0.0urgency
5.7incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.