Vulnerability Database

296,621

Total vulnerabilities in the database

CVE-2025-9467

Description

When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.

Published: Sep 4, 2025
Updated: Sep 5, 2025
CVE: CVE-2025-9467
GHSA: GHSA-9gfh-4fwj-w3rj
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-20
CWE-434

Affected Software
References

Software	From	Fixed in
com.vaadin / vaadin-server	7.0.0	7.7.48
com.vaadin / vaadin-server	8.0.0	8.28.2

https://github.com/vaadin/flow-components/commit/bfe9e507cdcc5d90a2312c8f0162f798a29ba635
https://github.com/vaadin/flow-components/pull/7616
https://github.com/vaadin/framework/security/advisories/GHSA-9gfh-4fwj-w3rj
https://vaadin.com/security/cve-2025-9467

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo