Cross-site Scripting Vulnerability in Vaadin Framework by Vaadin
CVE-2025-15022

4.8MEDIUM

Key Information:

Vendor: Vaadin
Status: Vaadin; Framework; Vaadin-spreadsheet-flow
Vendor: CVE Published:; 5 January 2026

What is CVE-2025-15022?

The Vaadin Framework contains a vulnerability where action captions are allowed to accept HTML without sanitization, potentially leading to Cross-site Scripting (XSS) if the caption content is influenced by user input. This issue is present in several versions, specifically Vaadin 7 and 8, and has been mitigated in the newer releases that include automatic HTML sanitization using Jsoup with a relaxed safelist. Affected users are strongly encouraged to upgrade to the fixed versions or apply appropriate mitigations to enhance security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

framework 7.0.0 <= 7.7.49

framework 8.0.0 <= 8.29.1

vaadin 23.1.0 <= 23.6.5

References

https://vaadin.com/security/cve-2025-15022

https://github.com/vaadin/flow-components/pull/8285

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Jan 5, 2026
Vulnerability Reserved
Dec 22, 2025

JSON

Vaadin

What is CVE-2025-15022?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.