Update flow to 23.6.12

[vaadin-bot]

No description provided.

[github-actions]

Dependencies Report

• 🟠 Known Vulnerabilities:

  • Vulnerabilities in: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.2 [CVE-2023-35116] (owasp)
    👌 based on the issue this is not a CVE Stack overflow error caused by serialization of Map with cyclic dependency -- NOT CVE FasterXML/jackson-databind#3972
    · cpe:2.3:a:fasterxml:jackson-databind::::::::

• 🚫 Vulnerabilities:

  • Vulnerabilities in: pkg:maven/com.vaadin/vaadin@23.6-SNAPSHOT [CVE-2025-15022, GHSA-c7v7-rqfm-f44j, CVE-2026-2742] (osv-bomber,osv-scan)
    ·
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-upload-flow@23.6-SNAPSHOT [GHSA-94g8-xv23-7656] (osv-bomber)
      ·
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-spreadsheet-flow@23.6-SNAPSHOT [CVE-2025-15022] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.2 [GHSA-72hv-8253-57qq, CVE-2025-52999] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.poi/poi-ooxml@5.2.3 [CVE-2025-31672] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-websocket@5.3.32 [CVE-2025-41254] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-web@5.3.32 [CVE-2024-38809, CVE-2024-22262, CVE-2024-38820, CVE-2016-1000027, CVE-2024-22259, CVE-2026-22740, CVE-2026-22737, CVE-2026-22745, CVE-2024-38808, CVE-2026-22741, CVE-2026-22735] (osv-bomber,osv-scan,owasp)
      ·
      · cpe:2.3:a:vmware:spring_framework::::::::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
      · cpe:2.3:a:netapp:oncommand_insight:-:::::::*
    • Vulnerabilities in: pkg:maven/org.springframework/spring-core@5.3.32 [CVE-2025-41249, CVE-2024-22259, CVE-2026-22740, CVE-2026-22737, CVE-2024-38820, CVE-2026-22745, CVE-2024-38808, CVE-2026-22741, CVE-2026-22735] (osv-bomber,osv-scan,owasp)
      ·
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
      · cpe:2.3:a:vmware:spring_framework::::::::
      · cpe:2.3:a:netapp:oncommand_insight:-:::::::*
    • Vulnerabilities in: pkg:maven/org.springframework/spring-webmvc@5.3.32 [CVE-2026-22737, CVE-2026-22735, CVE-2026-22745, CVE-2024-38816, CVE-2024-38819, CVE-2025-41242, CVE-2024-38828, CVE-2026-22741] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-context@5.3.32 [CVE-2024-38820, CVE-2025-22233] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-expression@5.3.32 [CVE-2024-38808] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.104 [CVE-2025-53506, CVE-2025-49124, CVE-2026-24880, CVE-2026-43515, CVE-2026-43513, CVE-2026-25854, CVE-2026-43514, CVE-2025-66614, CVE-2026-42498, CVE-2025-48989, CVE-2026-41284, CVE-2025-46701, CVE-2025-48988, CVE-2026-43512, CVE-2025-61795, CVE-2026-24734, CVE-2026-24733, CVE-2026-41293, CVE-2026-34483, CVE-2025-55754, CVE-2025-49125, CVE-2025-55752, CVE-2025-52520, CVE-2026-34487, BIT-tomcat-2025-53506, BIT-tomcat-2025-49124, BIT-tomcat-2026-24880, BIT-tomcat-2026-43515, BIT-tomcat-2026-43513, BIT-tomcat-2026-25854, BIT-tomcat-2026-43514, BIT-tomcat-2025-66614, BIT-tomcat-2026-42498, BIT-tomcat-2025-48989, BIT-tomcat-2026-41284, BIT-tomcat-2025-46701, BIT-tomcat-2025-48988, BIT-tomcat-2026-43512, BIT-tomcat-2025-61795, BIT-tomcat-2026-24734, BIT-tomcat-2026-24733, BIT-tomcat-2026-41293, BIT-tomcat-2026-34483, BIT-tomcat-2025-55754, BIT-tomcat-2025-49125, BIT-tomcat-2025-55752, BIT-tomcat-2025-52520, BIT-tomcat-2026-34487, CVE-2026-29145, CVE-2025-52434, CVE-2026-29146, CVE-2025-55668, CVE-2026-34500] (osv-bomber,osv-scan,owasp)
      · cpe:2.3:a:apache:tomcat::::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone27::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone15::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone16::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone17::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone18::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone19::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone20::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone1::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone10::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone11::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone12::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone13::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone14::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone15::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone17::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone18::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone19::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone2::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone21::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone22::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone23::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone24::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone25::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone26::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone3::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone4::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone5::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone6::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone7::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone8::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone9::::::
      · cpe:2.3:a:apache:tomcat_native::::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone1::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone10::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone2::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone3::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone4::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone5::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone6::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone7::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone8::::::
      · cpe:2.3:a:apache:tomcat:10.0.0:milestone9::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:-::::::
      ·
      · cpe:2.3:a:apache:tomcat:10.1.0:-::::::
    • Vulnerabilities in: pkg:maven/ch.qos.logback/logback-core@1.2.13 [CVE-2025-11226, CVE-2024-12801, CVE-2024-12798, CVE-2026-1225] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework.boot/spring-boot@2.7.18 [CVE-2025-22235, CVE-2026-40973, CVE-2026-40974, CVE-2026-22733, CVE-2026-40972, CVE-2026-40975, CVE-2026-40977] (osv-bomber,osv-scan,owasp)
      ·
      · cpe:2.3:a:vmware:spring_boot::::::::
    • Vulnerabilities in: pkg:npm/vite@3.2.11 [CVE-2025-32395, CVE-2025-31125, CVE-2026-39365, CVE-2025-46565, CVE-2025-62522, CVE-2025-58751, CVE-2025-58752, CVE-2025-24010, CVE-2025-30208, CVE-2025-31486] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:npm/path-to-regexp@2.4.0 [CVE-2024-45296] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:npm/esbuild@0.15.18 [GHSA-67mh-4wv8-2f99] (osv-bomber)
      ·
    • Vulnerabilities in: pkg:npm/serialize-javascript@4.0.0 [GHSA-5c6j-r48x-rmvq] (osv-bomber)
      ·
    • Vulnerabilities in: pkg:maven/tools.jackson.core/jackson-core@2.14.2 [] ()
      ·
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-server@23.6-SNAPSHOT [CVE-2025-15022] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/com.vaadin/flow-server@23.6-SNAPSHOT [CVE-2026-2742] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat-coyote@9.0.104 [BIT-tomcat-2025-53506, CVE-2025-53506, BIT-tomcat-2026-24880, CVE-2026-24880, BIT-tomcat-2025-48989, CVE-2025-48989, BIT-tomcat-2026-24734, CVE-2026-24734] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat@9.0.104 [BIT-tomcat-2025-49124, CVE-2025-49124, BIT-tomcat-2026-43515, CVE-2026-43515, BIT-tomcat-2026-43513, CVE-2026-43513, BIT-tomcat-2026-25854, CVE-2026-25854, BIT-tomcat-2026-43514, CVE-2026-43514, BIT-tomcat-2025-66614, CVE-2025-66614, BIT-tomcat-2026-42498, CVE-2026-42498, BIT-tomcat-2026-41284, CVE-2026-41284, BIT-tomcat-2026-43512, CVE-2026-43512, BIT-tomcat-2025-61795, CVE-2025-61795, BIT-tomcat-2026-24733, CVE-2026-24733, BIT-tomcat-2026-41293, CVE-2026-41293, BIT-tomcat-2026-34483, CVE-2026-34483, BIT-tomcat-2025-55754, CVE-2025-55754, BIT-tomcat-2025-55752, CVE-2025-55752, BIT-tomcat-2026-34487, CVE-2026-34487] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.104 [BIT-tomcat-2025-49124, CVE-2025-49124, BIT-tomcat-2026-43515, CVE-2026-43515, BIT-tomcat-2026-43513, CVE-2026-43513, BIT-tomcat-2026-25854, CVE-2026-25854, BIT-tomcat-2026-43514, CVE-2026-43514, BIT-tomcat-2025-66614, CVE-2025-66614, BIT-tomcat-2026-42498, CVE-2026-42498, BIT-tomcat-2026-41284, CVE-2026-41284, BIT-tomcat-2025-46701, CVE-2025-46701, BIT-tomcat-2025-48988, CVE-2025-48988, BIT-tomcat-2026-43512, CVE-2026-43512, BIT-tomcat-2025-61795, CVE-2025-61795, BIT-tomcat-2026-24733, CVE-2026-24733, BIT-tomcat-2026-41293, CVE-2026-41293, BIT-tomcat-2026-34483, CVE-2026-34483, BIT-tomcat-2025-55754, CVE-2025-55754, BIT-tomcat-2025-49125, CVE-2025-49125, BIT-tomcat-2025-55752, CVE-2025-55752, BIT-tomcat-2025-52520, CVE-2025-52520, BIT-tomcat-2026-34487, CVE-2026-34487] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-webflux@5.3.32 [CVE-2026-22737, CVE-2026-22735, CVE-2026-22745, CVE-2024-38816, CVE-2024-38819, CVE-2026-22741] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.logging.log4j/log4j-api@2.25.3 [CVE-2026-34479, CVE-2026-34477] (owasp)
      · cpe:2.3:a:apache:log4j::::::::
      · cpe:2.3:a:apache:log4j:3.0.0:alpha1::::::
      · cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc1::::::
      · cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc2::::::
      · cpe:2.3:a:apache:log4j:3.0.0:beta1::::::
      · cpe:2.3:a:apache:log4j:3.0.0:beta2::::::
      · cpe:2.3:a:apache:log4j:3.0.0:beta3::::::
    • Vulnerabilities in: pkg:maven/org.apache.logging.log4j/log4j-to-slf4j@2.17.2 [CVE-2026-34479, CVE-2026-34477] (owasp)
      · cpe:2.3:a:apache:log4j::::::::
      · cpe:2.3:a:apache:log4j:3.0.0:alpha1::::::
      · cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc1::::::
      · cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc2::::::
      · cpe:2.3:a:apache:log4j:3.0.0:beta1::::::
      · cpe:2.3:a:apache:log4j:3.0.0:beta2::::::
      · cpe:2.3:a:apache:log4j:3.0.0:beta3::::::
    • Vulnerabilities in: pkg:maven/org.apache.poi/poi@5.2.3 [CVE-2025-31672] (owasp)
      · cpe:2.3:a:apache:poi::::::::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-core@23.6-SNAPSHOT [CVE-2026-2742, CVE-2026-2741] (owasp)
      · cpe:2.3:a:vaadin:vaadin::::::::

• 🟠 Changes in 23.6-SNAPSHOT since V23.6.10

  • 1 packages removed (1 external, 0 vaadin)
  • 30 packages modified (19 external, 11 vaadin)
  • 774 packages same (609 external, 165 vaadin)

[Click for more Details]