CVE-2025-15022 in vaadin
Summary
by MITRE • 01/05/2026
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input.
In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility.
In Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist.
Vaadin 14 is not affected as Spreadsheet component was not supported.
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
Product version Vaadin 7.0.0 - 7.7.49 Vaadin 8.0.0 - 8.29.1 Vaadin 23.1.0 - 23.6.5 Vaadin 24.0.0 - 24.8.13 Vaadin 24.9.0 - 24.9.6
Mitigation Upgrade to 7.7.50 Upgrade to 8.30.0 Upgrade to 23.6.6 Upgrade to 24.8.14 or 24.9.7 Upgrade to 25.0.0 or newer
Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server 7.0.0 - 7.7.49 ≥7.7.50 com.vaadin:vaadin-server 8.0.0 - 8.29.1 ≥8.30.0 com.vaadin:vaadin 23.1.0 - 23.6.5 ≥23.6.6 com.vaadin:vaadin24.0.0 - 24.8.13 ≥24.8.14 com.vaadin:vaadin24.9.0 - 24.9.6 ≥24.9.7 com.vaadin:vaadin-spreadsheet-flow 23.1.0 - 23.6.5 ≥23.6.6 com.vaadin:vaadin-spreadsheet-flow 24.0.0 - 24.8.13 ≥24.8.14 com.vaadin:vaadin-spreadsheet-flow 24.9.0 - 24.9.6 ≥24.9.7
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/06/2026
The vulnerability identified as CVE-2025-15022 affects the Vaadin Framework's Action class implementation across multiple versions, specifically exposing applications to cross-site scripting attacks through improper handling of HTML content in captions. This flaw resides in how Vaadin Framework versions 7 and 8 process user-provided content within Action objects, which are utilized by various components throughout the framework. The vulnerability manifests when caption content derived from user input contains unsanitized HTML, creating an attack surface for malicious actors to inject scripts that execute in the context of other users' browsers. According to CWE-79, this represents a classic cross-site scripting vulnerability where insufficient input validation and output encoding allow attackers to inject malicious scripts into web applications. The vulnerability is particularly concerning as it affects widely used versions of the framework, with Vaadin 7 and 8 being especially impacted due to their continued usage in legacy applications.
The technical implementation of this vulnerability stems from the Action class's default behavior of accepting HTML content without proper sanitization mechanisms. In Vaadin Framework versions 7 and 8, the Action class serves as a general-purpose container for actions that may be displayed in various UI components, including menus, buttons, and context menus. When caption content is populated from user inputs, the framework fails to sanitize the HTML content, allowing potentially malicious scripts to be embedded directly within the caption text. This issue is further exacerbated by the fact that Vaadin 23 and newer versions still utilize the Action class within the Spreadsheet component, maintaining the same security risk despite architectural improvements in other areas. The vulnerability is classified under ATT&CK technique T1531 which involves the use of malicious code to gain unauthorized access or execute arbitrary commands through web application vulnerabilities.
The operational impact of this vulnerability extends beyond simple script execution, potentially allowing attackers to perform session hijacking, data theft, or even privilege escalation within affected applications. When malicious HTML is rendered in captions, it can execute in the context of authenticated users, leading to unauthorized access to sensitive data or system functions. The attack vector is particularly dangerous in enterprise environments where Vaadin applications handle sensitive business data or user information. Applications using Vaadin 7 and 8 are particularly at risk as these versions have been widely deployed in production environments, making the potential impact substantial. The vulnerability affects not only direct user input but also any application logic that dynamically generates caption content from external sources, including database content, API responses, or file uploads.
Mitigation strategies for this vulnerability require immediate action through version upgrades to patched releases, as the vulnerability cannot be effectively addressed through simple code changes or configuration adjustments. Organizations using affected versions must upgrade to the specified fixed versions, with the recommended approach being to move to Vaadin 7.7.50, 8.30.0, 23.6.6, 24.8.14, or 24.9.7, or newer releases. The fix implemented in these versions includes comprehensive HTML sanitization using Jsoup with a relaxed safelist, which effectively removes potentially dangerous HTML elements while preserving legitimate formatting. This approach aligns with security best practices outlined in OWASP Top 10 and follows established methodologies for preventing XSS attacks. For organizations unable to immediately upgrade, the recommended approach involves implementing additional input validation and output encoding at the application level, though this approach is considered less secure than the framework-level fixes. The vulnerability affects the vaadin-server and vaadin-spreadsheet-flow artifacts, requiring careful attention to ensure all related components are updated to prevent potential exploitation paths. The implementation of these fixes demonstrates the importance of proper content sanitization in web frameworks, particularly in components that handle user-provided data and render it directly in the browser context.