CVE-2026-53632
published 2026-06-22CVE-2026-53632: launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths…
PriorityP337medium5.5CVSS 4.0
AVNACHATNPRNUIAVCNVINVANSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.32%
24.0th percentile
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rhoai | odh-mlflow-rhel9 | — | — |
| vitejs | launch-editor | < 2.14.1 | 2.14.1 |
| vitejs | vite | < 6.4.3 | 6.4.3 |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 0 < 6.4.3 | 6.4.3 |
| vitejs | vite | >= 7.0.0 < 7.3.5 | 7.3.5 |
| vitejs | vite | >= 8.0.0 < 8.0.16 | 8.0.16 |
| vitejs | vite-plus | < 0.1.24 | 0.1.24 |
| vitejs | vite-plus | >= 0 < 0.1.24 | 0.1.24 |
CVSS provenance
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
launch-editor: launch-editor: Credential compromise via NTLMv2 password hash leak through UNC path access
vendor_redhat·2026-06-22·CVSS 5.5
CVE-2026-53632 [MEDIUM] CWE-73 launch-editor: launch-editor: Credential compromise via NTLMv2 password hash leak through UNC path access
launch-editor: launch-editor: Credential compromise via NTLMv2 password hash leak through UNC path access
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
A flaw was found in launch-editor. This component, used in Node.js to open files, can be tricked into accessing arbitrary paths, including Windows Universal Naming Convention (UNC) paths. When a malicious UNC
VulDB
vitejs launch-editor/vite/vite-plus up to 2.14.0 file inclusion (GHSA-v6wh-96g9-6wx3)
vuldb·2026-06-22·CVSS 5.5
CVE-2026-53632 [MEDIUM] vitejs launch-editor/vite/vite-plus up to 2.14.0 file inclusion (GHSA-v6wh-96g9-6wx3)
A vulnerability has been found in vitejs launch-editor, vite and vite-plus up to 2.14.0 and classified as problematic. Affected is an unknown function. The manipulation leads to file inclusion.
This vulnerability is uniquely identified as CVE-2026-53632. The attack is possible to be carried out remotely. No exploit exists.
The affected component should be upgraded.
GHSA
launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
ghsa·2026-06-15
CVE-2026-53632 [MEDIUM] CWE-522 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
### Summary
The `launch-editor` NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking.
### Impact
If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the `launch-editor`:
- using Windows
- NTLM is not disabled ([it is recommended to disable](https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526), while it's still enabled by
No detection rules found.
No public exploits indexed.
2026-06-22
Published