Lucene search
K

867 matches found

Nuclei
Nuclei
added yesterday73 views

Vite Dev Server - Information Exposure

Vite is a frontend tooling framework for JavaScript. Before versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network using...

6CVSS6.2AI score0.01077EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday41 views

Vite Dev Server - Path Traversal

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or...

5.3CVSS6.2AI score0.0118EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday11 views

Vite dev server - Cross-Site Scripting

Vite's dev server, when used with appType: 'custom' and manually invoking server.transformIndexHtml using the unmodified request URL, is vulnerable to XSS via a crafted URL payload. If the HTML being served includes an inline module script ..., an attacker can inject a script via the URL,...

6.1CVSS6.7AI score0.00997EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday14 views

Vite Dev Server - Information Exposure

Vite dev server could allow reading files from the Vite project root by bypassing server.fs.deny with double forward-slash paths //. This affects exposed dev servers only. id: CVE-2023-34092 info: name: Vite Dev Server - Information Exposure author: ritikchaddha severity: high description: | Vite...

7.5CVSS7AI score0.03152EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday55 views

Vite - Path Traversal

Vite versions prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13 contain a file exposure vulnerability caused by improper handling of request URLs with '' in the dev server running on Node or Bun, letting attackers access arbitrary files, exploit requires the server to be exposed to the network an...

6CVSS6.7AI score0.01725EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday65 views

Vite server.fs.deny Bypass - Local File Inclusion

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest- script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than...

5.3CVSS6.7AI score0.38685EPSS
Exploits7References5
Nuclei
Nuclei
added yesterday26 views

Vite Development Server - Path Traversal

Path traversal vulnerability in Vite development server's @fs endpoint allows attackers to access files outside the intended directory. When exposed to the network, attackers can exploit this via crafted URLs to access sensitive system files. id: CVE-2025-31125 info: name: Vite Development Server...

7.5CVSS6.5AI score0.58765EPSS
Exploits9References4
Nuclei
Nuclei
added yesterday91 views

Vite Dev Server - Path Traversal in Optimized Deps .map Handling

Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePathpath.resolveroot, url.slice1 and call...

6.3CVSS6.1AI score0.00914EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday253 views

Vite - Arbitrary File Read

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it...

7.5CVSS6.7AI score0.74998EPSS
Exploits28References2
OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago5 views

Malicious code in mdb-vite (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d24ffe7ac6e64aab50d9ba84f5b06ffd1047663698d25071770749b36afe6543 The package's default export getPlugin performs an HTTPS fetch to https://svganchordev.net/icons/107 with URL components split across protocol, domai...

6.2AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 5 days ago8 views

Malicious code in vite-pwa-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bab1e251883a8eceecc27c935ed05352375d438c1efbbd8727f2b13a766409d0 Package vite-pwa-config impersonates the popular vite-plugin-pwa antfu — the README instructs users to import configJson from vite-plugin-pwa, and...

6.6AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago9 views

Malicious code in @vite-js/ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 476576198de86a58304788ac79ac3c8ca21b5029d9e824e3ffab41f539146c3b Package @vite-js/ui impersonates the official vite package: package.json declares author 'Evan You', homepage 'https://vitejs.dev', ships an unmodifi...

6.3AI score
Exploits0References2
OSV
OSV
added 6 days ago1 views

MAL-2026-7021 Malicious code in @vite-js/ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 476576198de86a58304788ac79ac3c8ca21b5029d9e824e3ffab41f539146c3b Package @vite-js/ui impersonates the official vite package: package.json declares author 'Evan You', homepage 'https://vitejs.dev', ships an unmodifi...

6.3AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago7 views

Malicious code in @vite-ln/build-ts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8972bbfdd55ad200dd49b08501d7391beca99841f0c36479806f2b1e329950a2 Package @vite-ln/build-ts copies the legitimate vite package's manifest verbatim description 'Native-ESM powered web dev build tool', author 'Evan...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago10 views

Malicious code in vite-json-pwa (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9f9204782dfa050ba762ce8c8a35c01e9f7b1e8bf82e140854d182f9614080b6 [email protected] impersonates the legitimate vite-plugin-pwa package author metadata claims 'inna voik' while funding/homepage point at the real...

6.3AI score
Exploits0References3
OSV
OSV
added 6 days ago6 views

MAL-2026-6969 Malicious code in vite-json-pwa (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9f9204782dfa050ba762ce8c8a35c01e9f7b1e8bf82e140854d182f9614080b6 [email protected] impersonates the legitimate vite-plugin-pwa package author metadata claims 'inna voik' while funding/homepage point at the real...

6.3AI score
Exploits0References3
OSV
OSV
added 2026/07/02 7:59 a.m.6 views

ROOT-APP-NPM-CVE-2025-62522 CVE-2025-62522 in @rootio/vite - Patched by Root

Root has patched CVE-2025-62522 in the @rootio/vite package for Root:npm. Multiple fixed versions available...

6.5CVSS5.3AI score0.01031EPSS
Exploits0
OSV
OSV
added 2026/07/02 7:59 a.m.8 views

ROOT-APP-NPM-CVE-2026-39365 CVE-2026-39365 in @rootio/vite - Patched by Root

Root has patched CVE-2026-39365 in the @rootio/vite package for Root:npm. Multiple fixed versions available...

5.3CVSS5.8AI score0.00914EPSS
Exploits1
NVD
NVD
added 2026/06/23 1:16 p.m.17 views

CVE-2026-56301

Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server nuxt dev on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit t...

6.8CVSS0.00103EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/23 12:13 p.m.10 views

EUVD-2026-38436

Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server nuxt dev on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit t...

6.8CVSS6AI score0.00103EPSS
Exploits0References4
Rows per page
Query Builder