CVE-2026-2741

Name of the Vulnerable Software and Affected Versions Vaadin versions 14.2.0 through 14.14.0 Vaadin versions 23.0.0 through 23.6.6 Vaadin versions 24.0.0 through 24.9.8 Vaadin versions 25.0.0 through 25.0.2

Description A flaw exists in Vaadin that allows specially crafted ZIP archives to escape the intended extraction directory during Node.js download and extraction. This can occur when Vaadin’s build process automatically downloads and extracts Node.js if it is not already installed locally. An attacker who can intercept or control this download—through methods like DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack—could serve a malicious archive containing path traversal sequences. These sequences can then write files outside the intended extraction directory.

Recommendations Vaadin versions 14.2.0 through 14.14.0 should be upgraded to 14.14.1. Vaadin versions 23.0.0 through 23.6.6 should be upgraded to 23.6.7. Vaadin versions 24.0.0 through 24.9.8 should be upgraded to 24.9.9. Vaadin versions 25.0.0 through 25.0.2 should be upgraded to 25.0.3 or newer. Users of unsupported Vaadin versions 10-13 and 15-22 should update to the latest 14, 23, 24, or 25 version. Consider using a globally preinstalled Node.js version compatible with your Vaadin version.