All vulnerability reports

Project sources exposure in Vaadin Designer

High (Base score 8.6) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE entry:


Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request.

See CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin Designer 4.3.0 - 4.6.3 Upgrade to 4.6.4 or newer version


  • 2021-04-22: Initial vulnerability report published