PT-2026-1225 · Vaadin+1 · Vaadin 24.8.13+11
Published
2026-01-05
·
Updated
2026-01-05
·
CVE-2025-15022
CVSS v4.0
4.8
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Amber |
Name of the Vulnerable Software and Affected Versions
Vaadin versions 7.0.0 through 7.7.49
Vaadin versions 8.0.0 through 8.29.1
Vaadin versions 23.1.0 through 23.6.5
Vaadin versions 24.0.0 through 24.8.13
Vaadin versions 24.9.0 through 24.9.6
Description
The application allows HTML in action captions by default without proper sanitization. This can lead to Cross-site Scripting (XSS) if the caption content originates from user input. The issue is addressed in newer versions by sanitizing captions by default and providing an API to enable HTML content mode for compatibility. In Vaadin 23 and later, the Spreadsheet component utilizes Jsoup with a relaxed safelist for HTML sanitization. Vaadin 14 is not affected as the Spreadsheet component was not supported.
Recommendations
Upgrade to Vaadin version 7.7.50 or newer.
Upgrade to Vaadin version 8.30.0 or newer.
Upgrade to Vaadin version 23.6.6 or newer.
Upgrade to Vaadin version 24.8.14 or 24.9.7 or newer.
Upgrade to Vaadin version 25.0.0 or newer.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jsoup
Vaadin 23.1.0
Vaadin 23.6.5
Vaadin 24.0.0
Vaadin 24.8.13
Vaadin 24.9.0
Vaadin 24.9.6
Vaadin 25.0.0
Vaadin 7.0.0
Vaadin 7.7.49
Vaadin 8.0.0
Vaadin 8.29.1