Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2026-39365 — Path Traversal in Vite-plus
Severity
6.3MEDIUMNVD
EPSS
1.3%
top 19.91%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedApr 7
Description
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Packages3 packages
🔴Vulnerability Details
2💥Exploits & PoCs
1Nuclei▶
Vite Dev Server - Path Traversal in Optimized Deps .map Handling
📋Vendor Advisories
1Red Hat▶
vite: Vite: Information disclosure via path traversal in dev server's .map request handling↗2026-04-07
🕵️Threat Intelligence
1💬Community
4Bugzilla▶
CVE-2026-39365 forgejo: Vite: Information disclosure via path traversal in dev server's .map request handling [epel-all]↗2026-04-07
Bugzilla▶
CVE-2026-39365 vite: Vite: Information disclosure via path traversal in dev server's .map request handling↗2026-04-07
Bugzilla▶
CVE-2026-39365 forgejo: Vite: Information disclosure via path traversal in dev server's .map request handling [fedora-all]↗2026-04-07
Bugzilla▶
CVE-2026-39365 nodejs-aw-webui: Vite: Information disclosure via path traversal in dev server's .map request handling [fedora-all]↗2026-04-07