CVE-2026-2741
medium
CVSS v3
6.8
CVSS v2
—
VIR risk
6.8
Description
Vaadin: Specially crafted ZIP archives can escape the intended extraction directory
Predictions
Exploit likelihood
77%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: security@vaadin.com — https://vaadin.com/security/cve-2026-2741
Vendor advisory: security@vaadin.com — https://github.com/vaadin/flow/pull/23135
Vendor advisory: security@vaadin.com — https://github.com/vaadin/flow/pull/23133
Vendor advisory: security@vaadin.com — https://github.com/vaadin/flow/pull/23131
Vendor advisory: security@vaadin.com — https://github.com/vaadin/flow/pull/23130
Vendor advisory: security@vaadin.com — https://github.com/vaadin/flow/pull/23125
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | com.vaadin:flow-project | >=23.0.0,<23.6.7 | 23.6.7 |
| Maven | com.vaadin:flow-project | >=14.2.0,<14.14.1 | 14.14.1 |
| Maven | com.vaadin:flow-project | >=24.0.0,<24.9.9 | 24.9.9 |
| Maven | com.vaadin:flow-project | >=25.0.0,<25.0.3 | 25.0.3 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| vaadin | vaadin | {"startIncluding":"14.2.0","endExcluding":"14.14.1"} | 14.14.1 |
References
- https://github.com/vaadin/flow/pull/23125
- https://github.com/vaadin/flow/pull/23130
- https://github.com/vaadin/flow/pull/23131
- https://github.com/vaadin/flow/pull/23133
- https://github.com/vaadin/flow/pull/23135
- https://vaadin.com/security/cve-2026-2741
- https://nvd.nist.gov/vuln/detail/CVE-2026-2741
- https://github.com/vaadin/flow
CWEs
CWE-22
Verify integrity in audit chain (admin only). AS-IS.