CVE-2025-15022
Severity CVSS v4.0:
MEDIUM
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
05/01/2026
Last modified:
05/01/2026
Description
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.<br />
<br />
In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.<br />
<br />
In Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.<br />
<br />
Vaadin 14 is not affected as Spreadsheet component was not supported.<br />
<br />
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:<br />
<br />
Product version<br />
Vaadin 7.0.0 - 7.7.49<br />
Vaadin 8.0.0 - 8.29.1<br />
Vaadin 23.1.0 - 23.6.5<br />
Vaadin 24.0.0 - 24.8.13<br />
Vaadin 24.9.0 - 24.9.6<br />
<br />
Mitigation<br />
Upgrade to 7.7.50<br />
Upgrade to 8.30.0<br />
Upgrade to 23.6.6<br />
Upgrade to 24.8.14 or 24.9.7<br />
Upgrade to 25.0.0 or newer<br />
<br />
Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server<br />
7.0.0 - 7.7.49<br />
≥7.7.50<br />
com.vaadin:vaadin-server<br />
8.0.0 - 8.29.1<br />
≥8.30.0<br />
com.vaadin:vaadin<br />
23.1.0 - 23.6.5<br />
≥23.6.6<br />
com.vaadin:vaadin24.0.0 - 24.8.13<br />
≥24.8.14<br />
com.vaadin:vaadin24.9.0 - 24.9.6<br />
≥24.9.7<br />
com.vaadin:vaadin-spreadsheet-flow<br />
23.1.0 - 23.6.5<br />
≥23.6.6<br />
com.vaadin:vaadin-spreadsheet-flow<br />
24.0.0 - 24.8.13<br />
≥24.8.14<br />
com.vaadin:vaadin-spreadsheet-flow<br />
24.9.0 - 24.9.6<br />
≥24.9.7