{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T09:49:10.315","vulnerabilities":[{"cve":{"id":"CVE-2025-9467","sourceIdentifier":"security@vaadin.com","published":"2025-09-04T10:42:34.793","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. \n\n\nUsers of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:\n\nProduct version\nVaadin 7.0.0 - 7.7.47\nVaadin 8.0.0 - 8.28.1\nVaadin 14.0.0 - 14.13.0\nVaadin 23.0.0 - 23.6.1\nVaadin 24.0.0 - 24.7.6\n\nMitigation\nUpgrade to 7.7.48\nUpgrade to 8.28.2\nUpgrade to 14.13.1\nUpgrade to 23.6.2\nUpgrade to 24.7.7 or newer\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.\n\nArtifacts     Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server\n7.0.0 - 7.7.47\n≥7.7.48\ncom.vaadin:vaadin-server\n8.0.0 - 8.28.1\n≥8.28.2\ncom.vaadin:vaadin\n14.0.0 - 14.13.0\n≥14.13.1\ncom.vaadin:vaadin23.0.0 - 23.6.1\n≥23.6.2\ncom.vaadin:vaadin24.0.0 - 24.7.6\n≥24.7.7com.vaadin:vaadin-upload-flow\n2.0.0 - 14.13.0\n≥14.13.1\ncom.vaadin:vaadin-upload-flow\n23.0.0 - 23.6.1\n≥23.6.2\ncom.vaadin:vaadin-upload-flow\n24.0.0 - 24.7.6\n≥24.7.7"}],"metrics":{"cvssMetricV40":[{"source":"security@vaadin.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NEGLIGIBLE","Automatable":"NO","Recovery":"USER","valueDensity":"DIFFUSE","vulnerabilityResponseEffort":"LOW","providerUrgency":"GREEN"}}]},"weaknesses":[{"source":"security@vaadin.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"references":[{"url":"https://vaadin.com/security/cve-2025-9467","source":"security@vaadin.com"}]}}]}