CVE-2026-2741

LOW EPSS 26.0%
Published Mar 10, 20263mo ago · Modified Jun 17, 20262w ago
2.3 CVSS 4.0
Low
Find Similar
Published Mar 10, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory. Users of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 15.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.

CVSS Details

Base Score
2.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Amber
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope N

Threat Intelligence

EPSS Exploit Probability
26.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 4

VendorProductVersionRange
vaadinvaadin*≥14.2.0  –  <14.14.1
vaadinvaadin*≥15.0.0  –  <23.6.7
vaadinvaadin*≥24.0.0  –  <24.9.10
vaadinvaadin*≥25.0.0  –  <25.0.4

References 6

  • github.com https://github.com/vaadin/flow/pull/23125
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23130
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23131
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23133
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23135
    Issue TrackingPatch
  • vaadin.com https://vaadin.com/security/cve-2026-2741
    Vendor Advisory

Remediation

  • github.com https://github.com/vaadin/flow/pull/23125
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23130
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23131
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23133
    Issue TrackingPatch
  • github.com https://github.com/vaadin/flow/pull/23135
    Issue TrackingPatch