All vulnerability reports

Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13

Medium (Base score 6.1) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE entry:


Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL.

See CWE-81: Improper Neutralization of Script in an Error Message Web Page


Due to missing output sanitization, the default RouteNotFoundError view could be used to execute unwanted JavaScript in a user's browser if the user opens a specially crafted URL.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 10.0.0 - 10.0.13 Upgrade to 10.0.14 or newer 10 version
Vaadin 11 - 12 No longer supported. Upgrade to 13.0.6 or newer version
Vaadin 13.0.0 - 13.0.5 Upgrate to 13.0.6 or newer version

Please note that Vaadin versions 11-13 and 15-17 are no longer supported and you should update either to the latest 14 or 18 version respectively. Also, updating to Vaadin 7 is only available to extended-support customers.


Maven coordinates Vulnerable version Fixed version
com.vaadin:flow-server 1.0.0 - 1.0.10 ≥ 1.0.11
com.vaadin:flow-server 1.1 - 1.3 N/A
com.vaadin:flow-server 1.4.0 - 1.4.2 ≥ 1.4.3



  • 2019-05-27: Initial vulnerability report published