This is a maintenance release for Vaadin 25.1. See 25.1.0 release notes for details and resources.
Changes since 25.1.6
- Flow: 25.1.7 → 25.1.8, 25.1.9 → 25.1.10
- Hilla: 25.1.5 → 25.1.6
- Web Components: 25.1.3 → 25.1.4
- Flow Components: 25.1.6 → 25.1.7
- Copilot: 25.1.5 → 25.1.6
- Quarkus plugin: 3.1.2 → 3.1.3
Unchanged Modules
- TestBench: 10.1.2
- Browserless Test: 1.0.0
- Multiplatform Runtime (MPR): 8.0.1
- Router: 2.0.1
- Collaboration Engine: 7.0.0
- Kubernetes Kit: 3.1.1
- Observability Kit: 4.1.1
- SSO Kit: 4.1.2
- CDI add-on: 16.0.1
- AppSec Kit: 4.0.2 (docs)
- Azure Kit: 1.0.0 (docs)
- Swing Kit: 3.0.1 (docs)
Note:
We are aware of the following CVEs (CVE-2026-43515, CVE-2026-43513, CVE-2026-43514, CVE-2026-42498, CVE-2026-41284, CVE-2026-43512, CVE-2026-41293) from Tomcat, which is a transitive dependency from SpringBoot 4.0.6. Tomcat is a runtime deployment choice made by application developers, which Vaadin does not use or depend on. You can be upgraded on the application side to Tomcat 9.0.118+, 10.1.55+ or 11.0.22+. The corresponding updates will come in their next releases (SpringBoot 4.0.7).