CVE-2024-52011
published 2026-06-01CVE-2024-52011: launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file`…
PriorityP350high8.3CVSS 3.1
AVNACLPRNUIRSUCHIHAL
EPSS
0.50%
38.8th percentile
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9.
Affected
48 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-24 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-25 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-26 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-27 | gateway-rhel9 | — | — |
| ansible-automation-platform-27 | lightspeed-rhel9 | — | — |
| ansible-automation-platform | automation-portal | — | — |
| container-native-virtualization | kubevirt-console-plugin-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| discovery | discovery-ui-rhel9 | — | — |
| openshift-lightspeed | lightspeed-console-plugin-419-rhel9 | — | — |
| openshift-lightspeed | lightspeed-console-plugin-pf5-rhel9 | — | — |
| openshift-lightspeed | lightspeed-console-plugin-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-pf5-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel8 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel9 | — | — |
| openshift-pipelines | pipelines-hub-ui-rhel8 | — | — |
| openshift-pipelines | pipelines-hub-ui-rhel9 | — | — |
| openshift-service-mesh | kiali-operator-bundle | — | — |
| openshift-service-mesh | kiali-ossmc-rhel8 | — | — |
| openshift-service-mesh | kiali-ossmc-rhel9 | — | — |
| openshift-service-mesh | kiali-rhel8 | — | — |
| openshift-service-mesh | kiali-rhel9 | — | — |
| openshift-service-mesh | kiali-rhel9-operator | — | — |
| openshift4 | ose-agent-installer-ui-rhel9 | — | — |
CVSS provenance
nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
nvdv4.07.5HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
launch-editor: vite: launch-editor: Arbitrary command execution via insufficient file argument sanitization
vendor_redhat·2026-06-01·CVSS 7.5
CVE-2024-52011 [HIGH] CWE-88 launch-editor: vite: launch-editor: Arbitrary command execution via insufficient file argument sanitization
launch-editor: vite: launch-editor: Arbitrary command execution via insufficient file argument sanitization
A flaw was found in launch-editor, a tool that allows users to open files with line numbers in an editor from Node.js. Due to insufficient sanitization of the `file` argument in the `launchEditor` function, an attacker can execute arbitrary commands on Windows systems by supplying a filename that contains special characters. This can lead to a complete compromise of the affected system.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: cryostat-openshift-console-plugin-npm (Cryos
GHSA
launch-editor vulnerable to command injection via the crafted request on Windows
ghsa·2026-06-03
CVE-2024-52011 [HIGH] CWE-77 launch-editor vulnerable to command injection via the crafted request on Windows
launch-editor vulnerable to command injection via the crafted request on Windows
### Summary
Due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters.
### Impact
If the following conditions are met, an attacker can execute arbitrary commands on the computer that is using the `launch-editor`:
- An attacker can place a file with the malicious filename
- An attacker can call the `launchEditor` method with the `file` argument controlled
- The `launch-editor` package is running on Windows
For example, some development server using this package satisfy these conditions, as a malicious website might be able to force the downloading of a file and the path of
VulDB
vitejs launch-editor up to 2.8.x on Windows Special Character launchEditor File command injection
vuldb·2026-06-01·CVSS 7.5
CVE-2024-52011 [HIGH] vitejs launch-editor up to 2.8.x on Windows Special Character launchEditor File command injection
A vulnerability classified as critical was found in vitejs launch-editor up to 2.8.x on Windows. This affects the function launchEditor of the component Special Character Handler. The manipulation of the argument File results in command injection.
This vulnerability is known as CVE-2024-52011. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5ehttps://github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwfhttps://access.redhat.com/security/cve/CVE-2024-52011https://bugzilla.redhat.com/show_bug.cgi?id=2483853https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-52011.json
2026-06-01
Published