This is a maintenance release for Vaadin 25.0. See 25.0.0 release notes for details and resources.
Changes since 25.0.11
- Flow: 25.0.12 → 25.0.13 → 25.0.14
- Hilla: 25.0.12 → 25.0.13
- Web Components: 25.0.11 → 25.0.12 → 25.0.13
- Flow Components: 25.0.11 → 25.0.12
- TestBench: 10.0.5 → 10.0.6
- Copilot: 25.0.11 → 25.0.12
- Observability Kit: 4.0.0 → 4.0.1
- Quarkus plugin: 3.0.3 → 3.0.4
Unchanged Modules
- Multiplatform Runtime (MPR): 8.0.1
- Router: 2.0.1
- Collaboration Engine: 7.0.0
- Kubernetes Kit: 3.0.1
- SSO Kit: 4.0.2
- CDI add-on: 16.0.1
- AppSec Kit: 4.0.2 (docs)
- Azure Kit: 1.0.0 (docs)
- Swing Kit: 3.0.1 (docs)
Note:
We are aware of the following CVEs (CVE-2026-43515, CVE-2026-43513, CVE-2026-43514, CVE-2026-42498, CVE-2026-41284, CVE-2026-43512, CVE-2026-41293) from Tomcat, which is a transitive dependency from SpringBoot 4.0.6. Tomcat is a runtime deployment choice made by application developers, which Vaadin does not use or depend on. You can be upgraded on the application side to Tomcat 9.0.118+, 10.1.55+ or 11.0.22+. The corresponding updates will come in their next releases (SpringBoot 4.0.7).