CVE-2025-15022
Unknown Unknown - Not Provided
Cross-site Scripting in Vaadin Action Captions Allows HTML Injection

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: Vaadin Ltd.

Description
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility. In Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist. Vaadin 14 is not affected as Spreadsheet component was not supported. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 7.0.0 - 7.7.49 Vaadin 8.0.0 - 8.29.1 Vaadin 23.1.0 - 23.6.5 Vaadin 24.0.0 - 24.8.13 Vaadin 24.9.0 - 24.9.6 Mitigation Upgrade to 7.7.50 Upgrade to 8.30.0 Upgrade to 23.6.6 Upgrade to 24.8.14 or 24.9.7 Upgrade to 25.0.0 or newer ArtifactsΒ  Β  Β Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server 7.0.0 - 7.7.49 β‰₯7.7.50 com.vaadin:vaadin-server 8.0.0 - 8.29.1 β‰₯8.30.0 com.vaadin:vaadin 23.1.0 - 23.6.5 β‰₯23.6.6 com.vaadin:vaadin24.0.0 - 24.8.13 β‰₯24.8.14 com.vaadin:vaadin24.9.0 - 24.9.6 β‰₯24.9.7 com.vaadin:vaadin-spreadsheet-flow 23.1.0 - 23.6.5 β‰₯23.6.6 com.vaadin:vaadin-spreadsheet-flow 24.0.0 - 24.8.13 β‰₯24.8.14 com.vaadin:vaadin-spreadsheet-flow 24.9.0 - 24.9.6 β‰₯24.9.7
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15022
EUVD
EUVD-2026-0820
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
vaadin vaadin-server to 7.7.50 (exc)
vaadin vaadin-server to 8.30.0 (exc)
vaadin vaadin to 23.6.6 (exc)
vaadin vaadin to 24.8.14 (exc)
vaadin vaadin to 24.9.7 (exc)
vaadin vaadin-spreadsheet-flow to 23.6.6 (exc)
vaadin vaadin-spreadsheet-flow to 24.8.14 (exc)
vaadin vaadin-spreadsheet-flow to 24.9.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15022 is a Cross-site Scripting (XSS) vulnerability in the Vaadin Framework where Action captions accept HTML by default but were not sanitized. This means if the caption content comes from untrusted user input, an attacker could inject malicious scripts. The vulnerability affects Vaadin Framework versions 7 and 8 where the Action class is used by multiple components, and Vaadin 23 and newer where the Action class is used only by the Spreadsheet component. The issue was fixed by sanitizing captions by default and providing an API to enable HTML content mode explicitly for backward compatibility. In newer versions, HTML is sanitized using Jsoup with a relaxed safelist. Vaadin 14 is not affected as it does not support the Spreadsheet component. [1]

Impact Analysis

This vulnerability can allow an attacker to perform Cross-site Scripting (XSS) attacks by injecting malicious HTML or scripts into Action captions if those captions are derived from untrusted user input. This can lead to unauthorized actions, data theft, session hijacking, or other malicious activities within applications using affected Vaadin versions. Users of affected versions should upgrade to fixed versions or ensure captions are not derived from untrusted input or are manually sanitized. [1]

Detection Guidance

This vulnerability can be detected by identifying if your Vaadin application is using vulnerable versions of the affected artifacts (com.vaadin:vaadin-server, com.vaadin:vaadin, com.vaadin:vaadin-spreadsheet-flow) within the specified version ranges. You can check your Maven dependencies or application package versions to see if they fall within the vulnerable ranges. Additionally, review if Action captions in your application accept HTML content derived from untrusted user input without sanitization. There are no specific network or system commands provided to detect this vulnerability directly. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading your Vaadin framework to the fixed versions: 7.7.50 or later for Vaadin 7, 8.30.0 or later for Vaadin 8, 23.6.6 or later for Vaadin 23, 24.8.14 or later for Vaadin 24, or 25.0.0 or newer. Alternatively, ensure that Action captions are not derived from untrusted user input or manually sanitize any user-provided content before using it as an Action caption to prevent XSS attacks. [1]

Compliance Impact

This vulnerability allows Cross-site Scripting (XSS) attacks due to unsanitized HTML in Action captions derived from user input. Such XSS vulnerabilities can lead to unauthorized access or manipulation of user data, potentially violating data protection requirements in standards like GDPR and HIPAA. Organizations using affected Vaadin versions without applying fixes or mitigations may risk non-compliance due to insufficient input sanitization and potential data exposure through XSS attacks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15022. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart