Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2026-39363 — Sensitive Information Exposure in Vite-plus
Severity
8.2HIGHNVD
EPSS
4.3%
top 11.09%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedApr 7
Description
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allo…
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Packages3 packages
🔴Vulnerability Details
2💥Exploits & PoCs
1Nuclei▶
Vite Dev Server - Arbitrary File Read
📋Vendor Advisories
1Red Hat
▶
🕵️Threat Intelligence
1💬Community
4Bugzilla▶
CVE-2026-39363 Vite: Vite: Information disclosure via WebSocket connection bypasses access control↗2026-04-07
Bugzilla▶
CVE-2026-39363 forgejo: Vite: Information disclosure via WebSocket connection bypasses access control [fedora-all]↗2026-04-07
Bugzilla▶
CVE-2026-39363 nodejs-aw-webui: Vite: Information disclosure via WebSocket connection bypasses access control [fedora-all]↗2026-04-07
Bugzilla▶
CVE-2026-39363 forgejo: Vite: Information disclosure via WebSocket connection bypasses access control [epel-all]↗2026-04-07