cbcvebase.
CVE-2026-39364
published 2026-04-07

CVE-2026-39364: Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by…

PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.10%
79.3th percentile
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.

Affected

8 ranges
VendorProductVersion rangeFixed in
vitejsvite
vitejsvite
vitejsvite7.0.0 – 7.3.1
vitejsvite>= 7.1.0 < 7.3.27.3.2
vitejsvite>= 8.0.0 < 8.0.58.0.5
vitejsvite8.0.0 – 8.0.4
vitejsvite-plus< 0.1.160.1.16
voidzerovite<= 0.1.15

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/.env?raw??
other?raw
other?import&raw
other?import&url&inline
path/.vite/../
sigma
contains_all(body, "export default", "data:application/json;base64") AND contains_any(content_type, "text/javascript", "application/javascript") AND status_code == 200
  • Look for HTTP GET requests to sensitive files (e.g., /.env, *.crt) that include query parameters ?raw, ?import&raw, or ?import&url&inline and return HTTP 200 responses — these indicate a successful bypass of server.fs.deny restrictions.
  • Detect Vite dev server exposure via the presence of /@vite/client in HTTP response bodies (FOFA/Shodan fingerprint).
  • Exploit confirmation: a successful bypass returns a JavaScript content-type response containing 'export default' and 'data:application/json;base64' in the body with status 200, while a direct request to the same file returns 403.
  • Directory traversal variant: detect requests containing dot-segment sequences (e.g., /.vite/../) targeting the Vite dev server when --host or server.host is enabled.
  • The vulnerability is exploitable without authentication against Vite dev servers exposed on the network (--host flag). Prioritize detection on internet-facing or LAN-exposed dev servers.
  • ·The query-parameter bypass (CVE-2026-39364) affects Vite versions 7.1.0 up to (but not including) 7.3.2 and 8.0.5. The directory traversal variant described in DOC 2 affects versions prior to 6.4.3, 6.3.4, and 5.4.23 — these are distinct version ranges and may represent a related but separate issue.
  • ·The vulnerability only affects the Vite development server, not production builds. Exposure requires the dev server to be network-accessible (via --host or server.host configuration).
  • ·Red Hat notes no mitigation is currently available that meets their criteria; affected packages include automation-controller, automation-eda-controller, automation-gateway, automation-platform-ui, and others in Red Hat Ansible Automation Platform 2.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.