Vaadin 6.6.7 is available

Vaadin 6.6.7 contains critical security fixes and you are recommended to upgrade immediately

Vaadin 6.6.7 fixes several security issues discovered by Wouter Coekaerts ( and an internal review. Immediate upgrade to a version containing the fixes is strongly recommended for all users. The issues are:

#7670 Directory traversal vulnerability through AbstractApplicationServlet.serveStaticResourcesInVAADIN() (critical)

#7669 CSRF/XSS vulnerability through separator injection (important)

#7671 Contributory XSS: Possibility to inject HTML/javascript in system error messages (important)

#7672 Contributory XSS: possibility for injection in certain components (moderate)

A number of bugs have also been fixed In addition to the security issues. See the
list of closed issues
in Vaadin Trac for a detailed change log. For other release information, see the
Release Notes
. The demos are deployed at

Get the installation package from the download site at
. If you are using the Vaadin Plugin for Eclipse, upgrade the Vaadin version from the project preferences. If using Maven, the repositories will replicate in a few hours. The offline
Vaadin Plug-in for Eclipse
has also been updated to the new 6.6.7 and will shortly be available for download.

As always, when upgrading from an earlier version, you should recompile any custom widget sets and refresh your project in Eclipse. See the
General Upgrade Notes
for more details on upgrading.