cbcvebase.

Vitejs Vite-Plus vulnerabilities

6 known vulnerabilities affecting vitejs/vite-plus.

Total CVEs
6
CISA KEV
0
Public exploits
3
Exploited in wild
1
Severity breakdown
CRITICAL1HIGH3MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2026-39365P1MEDIUMCVSS 5.3ExploitedPoCfixed in 0.1.162026-04-07
CVE-2026-39365 [MEDIUM] CWE-22 CVE-2026-39365: Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, t Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files locat
nvd
CVE-2026-39363P2HIGHCVSS 7.5PoCfixed in 0.1.162026-04-07
CVE-2026-39363 [HIGH] CWE-200 CVE-2026-39363: Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, i Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary fi
nvd
CVE-2026-39364P3HIGHCVSS 7.5PoCfixed in 0.1.162026-04-07
CVE-2026-39364 [HIGH] CWE-180 CVE-2026-39364: Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vi Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.
nvd
CVE-2026-53571P3HIGH≥ 0, < 0.1.242026-06-15
CVE-2026-53571 [HIGH] CWE-200 vite: `server.fs.deny` bypass on Windows alternate paths vite: `server.fs.deny` bypass on Windows alternate paths ### Summary The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](ht
ghsa
CVE-2026-53632P3MEDIUMCVSS 5.5fixed in 0.1.242026-06-22
CVE-2026-53632 [MEDIUM] CWE-73 CVE-2026-53632: launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-con
ghsanvd
CVE-2026-53633CRITICAL≥ 0, < 0.1.242026-06-15
CVE-2026-53633 [CRITICAL] CWE-749 Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE ## Summary Vitest Browser Mode exposes a `cdp()` API that forwards raw Chrome DevTools Protocol (CDP) methods over the Vitest browser WebSocket RPC. CDP is not gated by `browser.api.allowWrite`, `browser.api.allowExec`, `api.allowWrite`, or `api.allowExec`. As a resu
ghsa
Vitejs Vite-Plus vulnerabilities | cvebase