cbcvebase.
CVE-2026-53632
published 2026-06-22

CVE-2026-53632: launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths…

PriorityP337medium5.5CVSS 4.0
AVNACHATNPRNUIAVCNVINVANSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.32%
24.0th percentile
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.

Affected

10 ranges
VendorProductVersion rangeFixed in
rhoaiodh-mlflow-rhel9
vitejslaunch-editor< 2.14.12.14.1
vitejsvite< 6.4.36.4.3
vitejsvite
vitejsvite
vitejsvite>= 0 < 6.4.36.4.3
vitejsvite>= 7.0.0 < 7.3.57.3.5
vitejsvite>= 8.0.0 < 8.0.168.0.16
vitejsvite-plus< 0.1.240.1.24
vitejsvite-plus>= 0 < 0.1.240.1.24

CVSS provenance

nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.