Update flow to 23.6.10

[vaadin-bot]

No description provided.

[github-actions]

Dependencies Report

• 🟠 Known Vulnerabilities:

  • Vulnerabilities in: pkg:npm/railroad-diagrams@1.0.0 [CVE-2024-26467] (oss-bomber)
    👌 This is coming from the tools, @cyclonedx/cyclonedx-npm, we have used for sbom module, FP for us.
    ·
    • Vulnerabilities in: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.2 [CVE-2023-35116] (owasp)
      👌 based on the issue this is not a CVE Stack overflow error caused by serialization of Map with cyclic dependency -- NOT CVE FasterXML/jackson-databind#3972
      · cpe:2.3:a:fasterxml:jackson-databind::::::::

• 🚫 Vulnerabilities:

  • Vulnerabilities in: pkg:maven/com.vaadin/vaadin@23.6-SNAPSHOT [CVE-2025-15022, GHSA-c7v7-rqfm-f44j, CVE-2026-2742] (osv-bomber,osv-scan)
    ·
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-upload-flow@23.6-SNAPSHOT [GHSA-94g8-xv23-7656] (osv-bomber)
      ·
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-spreadsheet-flow@23.6-SNAPSHOT [CVE-2025-15022] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.2 [GHSA-72hv-8253-57qq, CVE-2025-52999] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/com.nimbusds/nimbus-jose-jwt@9.37.3 [CVE-2025-53864] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.poi/poi-ooxml@5.2.3 [CVE-2025-31672] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-websocket@5.3.32 [CVE-2025-41254] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-web@5.3.32 [CVE-2024-38809, CVE-2024-22262, CVE-2024-38820, CVE-2016-1000027, CVE-2024-22259, CVE-2024-38808] (osv-bomber,osv-scan,owasp)
      ·
      · cpe:2.3:a:vmware:spring_framework::::::::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
      · cpe:2.3:a:netapp:oncommand_insight:-:::::::*
    • Vulnerabilities in: pkg:maven/org.springframework/spring-core@5.3.32 [CVE-2025-41249, CVE-2024-22259, CVE-2024-38820, CVE-2024-38808] (osv-bomber,osv-scan,owasp)
      ·
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
      · cpe:2.3:a:vmware:spring_framework::::::::
      · cpe:2.3:a:netapp:oncommand_insight:-:::::::*
    • Vulnerabilities in: pkg:maven/org.springframework/spring-webmvc@5.3.32 [CVE-2026-22737, CVE-2026-22735, CVE-2024-38816, CVE-2024-38819, CVE-2025-41242, CVE-2024-38828] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-context@5.3.32 [CVE-2024-38820, CVE-2025-22233] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-expression@5.3.32 [CVE-2024-38808] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.104 [CVE-2025-53506, CVE-2025-49124, CVE-2025-66614, CVE-2025-48989, CVE-2025-46701, CVE-2025-48988, CVE-2025-61795, CVE-2026-24734, CVE-2026-24733, CVE-2025-55754, CVE-2025-49125, CVE-2025-55752, CVE-2025-52520, BIT-tomcat-2025-53506, BIT-tomcat-2025-49124, BIT-tomcat-2025-66614, BIT-tomcat-2025-48989, BIT-tomcat-2025-46701, BIT-tomcat-2025-48988, BIT-tomcat-2025-61795, BIT-tomcat-2026-24734, BIT-tomcat-2026-24733, BIT-tomcat-2025-55754, BIT-tomcat-2025-49125, BIT-tomcat-2025-55752, BIT-tomcat-2025-52520, CVE-2025-52434, CVE-2025-55668] (osv-bomber,osv-scan,owasp)
      · cpe:2.3:a:apache:tomcat::::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone27::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone15::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone16::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone17::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone18::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone19::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone20::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone1::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone10::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone11::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone12::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone13::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone14::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone15::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone17::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone18::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone19::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone2::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone21::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone22::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone23::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone24::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone25::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone26::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone3::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone4::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone5::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone6::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone7::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone8::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone9::::::
      · cpe:2.3:a:apache:tomcat_native::::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone1::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone10::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone2::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone3::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone4::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone5::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone6::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone7::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone8::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone9::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:-::::::
      ·
    • Vulnerabilities in: pkg:maven/ch.qos.logback/logback-core@1.2.13 [CVE-2025-11226, CVE-2024-12801, CVE-2024-12798, CVE-2026-1225] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework.boot/spring-boot@2.7.18 [CVE-2025-22235] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:npm/vite@3.2.11 [CVE-2025-32395, CVE-2025-31125, CVE-2025-46565, CVE-2025-62522, CVE-2025-58751, CVE-2025-58752, CVE-2025-24010, CVE-2025-30208, CVE-2025-31486] (osv-bomber,oss-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:npm/path-to-regexp@2.4.0 [CVE-2024-45296] (osv-bomber,oss-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:npm/esbuild@0.15.18 [GHSA-67mh-4wv8-2f99] (osv-bomber)
      ·
    • Vulnerabilities in: pkg:npm/serialize-javascript@4.0.0 [GHSA-5c6j-r48x-rmvq] (osv-bomber)
      ·
    • Vulnerabilities in: pkg:npm/libxmljs2@0.37.0 [CVE-2024-34393, CVE-2024-34394] (oss-bomber)
      ·
    • Vulnerabilities in: pkg:maven/tools.jackson.core/jackson-core@2.14.2 [] ()
      ·
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-server@23.6-SNAPSHOT [CVE-2025-15022] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/com.vaadin/flow-server@23.6-SNAPSHOT [CVE-2026-2742] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat-coyote@9.0.104 [BIT-tomcat-2025-53506, CVE-2025-53506, BIT-tomcat-2025-48989, CVE-2025-48989, BIT-tomcat-2026-24734, CVE-2026-24734] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat@9.0.104 [BIT-tomcat-2025-49124, CVE-2025-49124, BIT-tomcat-2025-66614, CVE-2025-66614, BIT-tomcat-2025-61795, CVE-2025-61795, BIT-tomcat-2026-24733, CVE-2026-24733, BIT-tomcat-2025-55754, CVE-2025-55754, BIT-tomcat-2025-55752, CVE-2025-55752] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.104 [BIT-tomcat-2025-49124, CVE-2025-49124, BIT-tomcat-2025-66614, CVE-2025-66614, BIT-tomcat-2025-46701, CVE-2025-46701, BIT-tomcat-2025-48988, CVE-2025-48988, BIT-tomcat-2025-61795, CVE-2025-61795, BIT-tomcat-2026-24733, CVE-2026-24733, BIT-tomcat-2025-55754, CVE-2025-55754, BIT-tomcat-2025-49125, CVE-2025-49125, BIT-tomcat-2025-55752, CVE-2025-55752, BIT-tomcat-2025-52520, CVE-2025-52520] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-webflux@5.3.32 [CVE-2026-22737, CVE-2026-22735, CVE-2024-38816, CVE-2024-38819] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.poi/poi@5.2.3 [CVE-2025-31672] (owasp)
      · cpe:2.3:a:apache:poi::::::::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::

• 🟠 Changes in 23.6-SNAPSHOT since V23.6.9

  • 28 packages modified (18 external, 10 vaadin)
  • 777 packages same (611 external, 166 vaadin)

[Click for more Details]