Vulnerability Database

299,749

Total vulnerabilities in the database

Reflected cross-site scripting in development mode handler in Vaadin

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

https://vaadin.com/security/cve-2021-33604

Published: Jun 28, 2021
Updated: Apr 14, 2023
GHSA: GHSA-8vfw-v2jv-9hwc
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CWEs:

CWE-172

Affected Software
References

Software	From	Fixed in
com.vaadin / flow-server	2.0.0	2.6.2
com.vaadin / flow-server	3.0.0	6.0.10

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo