PT-2026-41882 · Vaadin · Vaadin Maven Plugin+1
Published
2026-05-19
·
Updated
2026-05-19
·
CVE-2026-7860
CVSS v4.0
1.6
Low
| Vector | AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/S:N/AU:N/R:A/V:C/RE:L/U:Green |
Name of the Vulnerable Software and Affected Versions
Vaadin Maven plugin versions 23.0.0 through 23.6.9
Vaadin Maven plugin versions 24.0.0 through 24.9.16
Vaadin Maven plugin versions 24.10.0 through 24.10.3
Vaadin Maven plugin versions 25.0.0 through 25.0.10
Vaadin Maven plugin versions 25.1.0 through 25.1.4
Vaadin Gradle plugin versions 24.0.0 through 24.9.16
Vaadin Gradle plugin versions 24.10.0 through 24.10.3
Vaadin Gradle plugin versions 25.0.0 through 25.0.10
Vaadin Gradle plugin versions 25.1.0 through 25.1.4
Description
An information disclosure issue exists in the Vaadin Maven and Gradle plugins. When the frontend build process exits with a non-zero status, the full set of environment variables is exposed in the build logs. This can lead to the exposure of credentials supplied as secrets in clear text within CI logs and archived build artifacts.
Recommendations
Upgrade versions 23.0.0 through 23.6.9 to 23.6.10.
Upgrade versions 24.0.0 through 24.9.16 to 24.9.17 or newer.
Upgrade versions 24.10.0 through 24.10.3 to 24.10.4 or newer.
Upgrade versions 25.0.0 through 25.0.10 to 25.0.11 or newer.
Upgrade versions 25.1.0 through 25.1.4 to 25.1.5 or newer.
Fix
Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vaadin Gradle Plugin
Vaadin Maven Plugin