PT-2025-35893 · Vaadin · Vaadin 14.13.0 +9

Published

2025-09-04

Updated

2025-09-04

CVE-2025-9467

Report an issue

CVSS v4.0

5.3

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green

**Name of the Vulnerable Software and Affected Versions:**

Vaadin versions 7.0.0 through 7.7.47

Vaadin versions 8.0.0 through 8.28.1

Vaadin versions 14.0.0 through 14.13.0

Vaadin versions 23.0.0 through 23.6.1

Vaadin versions 24.0.0 through 24.7.6

**Description:**

The Vaadin Upload component’s start listener validation can be bypassed when validating metadata for incoming uploads.

**Recommendations:**

Upgrade to Vaadin version 7.7.48 or newer.

Upgrade to Vaadin version 8.28.2 or newer.

Upgrade to Vaadin version 14.13.1 or newer.

Upgrade to Vaadin version 23.6.2 or newer.

Upgrade to Vaadin version 24.7.7 or newer.

Fix

RCE

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2025-9467

Affected Products

Vaadin 14.0.0

Vaadin 14.13.0

Vaadin 23.0.0

Vaadin 23.6.1

Vaadin 24.0.0

Vaadin 24.7.6

Vaadin 7.0.0

Vaadin 7.7.47

Vaadin 8.0.0

Vaadin 8.28.1

PT-2025-35893 · Vaadin · Vaadin 14.13.0 +9

Weakness Enumeration

Related Identifiers

Affected Products

References · 5