147 matches found
Vite - Arbitrary File Read
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it...
CVE-2026-53571
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as...
NPM: vite: `server.fs.deny` bypass on Windows alternate paths
NPM: vite: server.fs.deny bypass on Windows alternate paths vulnerability discovered by ? in WordPress Npm vite versions = 6.4.2...
ROOT-APP-NPM-CVE-2025-58751 CVE-2025-58751 in @rootio/vite - Patched by Root
Root has patched CVE-2025-58751 in the @rootio/vite package for Root:npm. Multiple fixed versions available...
Security Bulletin: A vite-7.1.5.tgz vulnerability found by Scanner affects IBM Rational Functional Tester / DevOps Test UI
Summary There is a vulnerability in vite-7.1.5.tgz used by Rational Functional Tester RFT / DevOps Test UI Test UI. RFT/Test UI has addressed the applicable CVE Vulnerability Details CVEID:CVE-2025-62522 DESCRIPTION: Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to...
CVE-2026-39364
A flaw was found in Vite, a frontend tooling framework for JavaScript. On the Vite development server, a remote attacker could exploit this vulnerability by appending specific query parameters, such as ?raw, to requests. This allows the attacker to bypass security restrictions and retrieve...
Vite 路径遍历漏洞
Vite is a new type of front-end build tool developed by Vite itself. Versions of Vite from 6.0.0 to 6.4.2, before 7.3.2, and before 8.0.5 contained a path traversal vulnerability. This vulnerability stemmed from insufficient path traversal restrictions on .map requests, which could allow bypassin...
Vite 访问控制错误漏洞
Vite is a new type of front-end build tool developed by Vite itself. Versions of Vite from 7.1.0 to 7.3.2, as well as versions before 8.0.5, have a access control error vulnerability. This vulnerability stems from the ability to bypass the server file blocklist, potentially allowing access to fil...
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
Summary Any files ending with .map even out side the project can be returned to the browser. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - have a sensitive content in files...
@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +204 more potentially affected by CVE-2026-39365 via vite (>=7.0.1 <=7.3.1)
vite NPM version =7.0.1, =1.89.2, =20.1.3, =20.1.3, =0.1.0, =0.0.4, =0.2.9, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.29.0 and more Source cves: CVE-2026-39365 Source advisory: SNYK:JS-VITE-15922213...
Directory Traversal
Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal via the handling of .map files in the dev server when resolving file paths. An attacker can access sensitive files outside the project root by injecting ../ segments in...
@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1192 more potentially affected by CVE-2026-39365 via vite (>=8.0.1 <=8.0.3)
vite NPM version =8.0.1, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 and more Source cves: CVE-2026-39365 Source advisory: SNYK:JS-VITE-15922213...
@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1214 more potentially affected by CVE-2026-39365 via vite (>=8.0.0 <=8.0.3)
vite NPM version =8.0.0, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 and more Source cves: CVE-2026-39365 Source advisory: OSV:GHSA-4W7W-66W2-5VF9...
@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +226 more potentially affected by CVE-2026-39365 via vite (>=7.0.0 <=7.3.1)
vite NPM version =7.0.0, =1.89.2, =20.1.0, =20.1.0, =0.1.0, =0.0.4, =0.2.9, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.29.0 and more Source cves: CVE-2026-39365 Source advisory: OSV:GHSA-4W7W-66W2-5VF9...
@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +187 more potentially affected by CVE-2026-39364 via vite (>=7.1.0 <=7.3.1)
vite NPM version =7.1.0, =1.89.2, =20.2.0, =20.2.0, =0.1.0, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.29.0 and more Source cves: CVE-2026-39364 Source advisory: SNYK:JS-VITE-15922245...
@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1214 more potentially affected by CVE-2026-39364 via vite (>=8.0.0 <=8.0.3)
vite NPM version =8.0.0, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 and more Source cves: CVE-2026-39364 Source advisory: OSV:GHSA-V2WJ-Q39Q-566R...
Incorrect Behavior Order: Validate Before Canonicalize
Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through the server.fs.deny component. An attacker can access sensitive files by appending specific query parameters such as ?raw,...
@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1214 more potentially affected by CVE-2026-39364 via vite (>=8.0.0 <=8.0.3)
vite NPM version =8.0.0, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 and more Source cves: CVE-2026-39364 Source advisory: SNYK:JS-VITE-15922245...
@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +187 more potentially affected by CVE-2026-39364 via vite (>=7.1.0 <=7.3.1)
vite NPM version =7.1.0, =1.89.2, =20.2.0, =20.2.0, =0.1.0, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.29.0 and more Source cves: CVE-2026-39364 Source advisory: OSV:GHSA-V2WJ-Q39Q-566R...
@1771technologies/oneplay (>=0.0.1 <=0.0.6), @aicblock/cli (>=1.0.0 <=1.0.1) +197 more potentially affected by CVE-2026-39363 via vite (>=6.0.0 <=6.4.1)
vite NPM version =6.0.0, =0.0.1, =1.0.0, =1.0.0, =0.2.0, =4.25.19-patch.2, =19.1.0, =19.1.0, =0.55.0, =0.21.2-4.1, =0.21.23 and more Source cves: CVE-2026-39363 Source advisory: OSV:GHSA-P9FF-H696-F583...