प्लेटफ़ॉर्म
java
घटक
com.vaadin:flow-project
में ठीक किया गया
14.14.1
23.6.7
24.9.9
25.0.3
2.13.1
23.6.8
24.9.10
25.0.4
14.14.1
CVE-2026-2741 describes a path traversal vulnerability affecting the Vaadin Flow Project. This vulnerability allows an attacker who can intercept or control Node.js downloads during the build process to write files outside the intended extraction directory. The vulnerability impacts versions 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. A fix is available in version 14.14.1.
An attacker can exploit this vulnerability by intercepting the Node.js download process during Vaadin’s build. This could be achieved through various methods, including DNS hijacking, man-in-the-middle (MITM) attacks, compromised mirrors, or supply chain attacks. By serving a malicious ZIP archive containing path traversal sequences, the attacker can write arbitrary files to the server's file system outside the intended extraction directory. This could lead to code execution, data exfiltration, or denial of service, depending on the permissions of the process performing the extraction. The potential blast radius extends to any sensitive data accessible by the Vaadin application and the underlying server.
This vulnerability was publicly disclosed on 2026-03-10. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The EPSS score is likely low due to the requirement for an attacker to intercept or control the Node.js download process, which is not trivial.
Organizations using Vaadin Flow Project in their web applications, particularly those relying on automated Node.js downloads during the build process, are at risk. Shared hosting environments where users have limited control over the build process are also particularly vulnerable.
• java / server:
find /path/to/vaadin/installation -name "flow-project*" -type d -print0 | xargs -0 grep -i 'path traversal'• generic web:
curl -I <your_vaadin_application_url> | grep -i 'X-Content-Type-Options: nosniff'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.06% (19% शतमक)
CISA SSVC
The primary mitigation for CVE-2026-2741 is to upgrade to version 14.14.1 or later of the Vaadin Flow Project. If upgrading immediately is not feasible, consider implementing temporary workarounds. Verify the integrity of Node.js downloads by using checksum verification or digital signatures. Implement strict file system permissions to limit the impact of potential file writes. Consider using a Web Application Firewall (WAF) to filter out malicious ZIP archives containing path traversal sequences. Regularly scan your environment for vulnerable versions of Vaadin Flow Project.
Actualice Vaadin a la versión 14.14.1, 23.6.7, 24.9.9, o 25.0.3 o superior, según corresponda a su versión actual. Alternativamente, utilice una versión de Node.js preinstalada globalmente que sea compatible con su versión de Vaadin.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-2741 is a path traversal vulnerability in Vaadin Flow Project allowing attackers to write files outside the intended directory during Node.js downloads.
You are affected if you are using Vaadin Flow Project versions 14.2.0-14.14.0, 23.0.0-23.6.6, 24.0.0-24.9.8, or 25.0.0-25.0.2.
Upgrade to version 14.14.1 or later of Vaadin Flow Project. Consider workarounds like checksum verification if immediate upgrade isn't possible.
There are currently no known public exploits or active campaigns targeting CVE-2026-2741.
Refer to the official Vaadin security advisory for CVE-2026-2741 on the Vaadin website.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी pom.xml फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।