CVE ID : CVE-2025-15022<\/p>\n
Published : Jan. 5, 2026, 7:52 a.m. | 33\u00a0minutes ago<\/p>\n
Description : Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.<\/p>\n
In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.<\/p>\n
In Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.<\/p>\n
Vaadin 14 is not affected as Spreadsheet component was not supported.<\/p>\n
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:<\/p>\n
Product version
\nVaadin 7.0.0 – 7.7.49
\nVaadin 8.0.0 – 8.29.1
\nVaadin 23.1.0 – 23.6.5
\nVaadin 24.0.0 – 24.8.13
\nVaadin 24.9.0 – 24.9.6<\/p>\n
Mitigation
\nUpgrade to 7.7.50
\nUpgrade to 8.30.0
\nUpgrade to 23.6.6
\nUpgrade to 24.8.14 or 24.9.7
\nUpgrade to 25.0.0 or newer<\/p>\n
Artifacts\u00a0 \u00a0 \u00a0Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server
\n7.0.0 – 7.7.49
\n\u22657.7.50
\ncom.vaadin:vaadin-server
\n8.0.0 – 8.29.1
\n\u22658.30.0
\ncom.vaadin:vaadin
\n23.1.0 – 23.6.5
\n\u226523.6.6
\ncom.vaadin:vaadin24.0.0 – 24.8.13
\n\u226524.8.14
\ncom.vaadin:vaadin24.9.0 – 24.9.6
\n\u226524.9.7
\ncom.vaadin:vaadin-spreadsheet-flow
\n23.1.0 – 23.6.5
\n\u226523.6.6
\ncom.vaadin:vaadin-spreadsheet-flow
\n24.0.0 – 24.8.13
\n\u226524.8.14
\ncom.vaadin:vaadin-spreadsheet-flow
\n24.9.0 – 24.9.6
\n\u226524.9.7<\/p>\n
Severity: 4.8 | MEDIUM<\/p>\n
Visit the link for more details, such as CVSS details, affected products, timeline, and more…\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"
CVE ID : CVE-2025-15022 Published : Jan. 5, 2026, 7:52 a.m. | 33\u00a0minutes ago Description : Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-75482","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/75482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=75482"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/75482\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=75482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=75482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=75482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}