Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2026-39364 — Incorrect Behavior Order: Validate Before Canonicalize in Vite-plus
Severity
8.2HIGHNVD
EPSS
4.5%
top 10.82%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedApr 7
Description
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Packages3 packages
🔴Vulnerability Details
2💥Exploits & PoCs
1Nuclei▶
Vite Dev Server - Directory Traversal
📋Vendor Advisories
1Red Hat▶
vite: Vite: Information disclosure via query parameter manipulation on the development server↗2026-04-07
🕵️Threat Intelligence
1💬Community
4Bugzilla▶
CVE-2026-39364 vite: Vite: Information disclosure via query parameter manipulation on the development server↗2026-04-07
Bugzilla▶
CVE-2026-39364 nodejs-aw-webui: Vite: Information disclosure via query parameter manipulation on the development server [fedora-all]↗2026-04-07
Bugzilla▶
CVE-2026-39364 forgejo: Vite: Information disclosure via query parameter manipulation on the development server [epel-all]↗2026-04-07
Bugzilla▶
CVE-2026-39364 forgejo: Vite: Information disclosure via query parameter manipulation on the development server [fedora-all]↗2026-04-07