PT-2025-36612 — Unrestricted File Upload in Maven Com.Vaadin:Vaadin-Server

PT-2025-36612 · Maven · Com.Vaadin:Vaadin-Server

Published

2025-09-04

Updated

2025-09-04

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Green

Description

When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.

Fix

Unrestricted File Upload

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-20

Related Identifiers

GHSA-9GFH-4FWJ-W3RJ

Affected Products

Com.Vaadin:Vaadin-Server

PT-2025-36612 · Maven · Com.Vaadin:Vaadin-Server

Description

Weakness Enumeration

Related Identifiers

Affected Products

References · 7