Vite - Arbitrary File Read

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it...

Security Bulletin: A vite-7.1.5.tgz vulnerability found by Scanner affects IBM Rational Functional Tester / DevOps Test UI

Summary There is a vulnerability in vite-7.1.5.tgz used by Rational Functional Tester RFT / DevOps Test UI Test UI. RFT/Test UI has addressed the applicable CVE Vulnerability Details CVEID:CVE-2025-62522 DESCRIPTION: Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to...

CVE-2026-39364

A flaw was found in Vite, a frontend tooling framework for JavaScript. On the Vite development server, a remote attacker could exploit this vulnerability by appending specific query parameters, such as ?raw, to requests. This allows the attacker to bypass security restrictions and retrieve...

Vite 访问控制错误漏洞

Vite is a new type of front-end build tool developed by Vite itself. Versions of Vite from 7.1.0 to 7.3.2, as well as versions before 8.0.5, have a access control error vulnerability. This vulnerability stems from the ability to bypass the server file blocklist, potentially allowing access to fil...

Vite 路径遍历漏洞

Vite is a new type of front-end build tool developed by Vite itself. Versions of Vite from 6.0.0 to 6.4.2, before 7.3.2, and before 8.0.5 contained a path traversal vulnerability. This vulnerability stemmed from insufficient path traversal restrictions on .map requests, which could allow bypassin...

Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

Summary Any files ending with .map even out side the project can be returned to the browser. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - have a sensitive content in files...

@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +204 more potentially affected by CVE-2026-39365 via vite (>=7.0.1 <=7.3.1)

vite NPM version =7.0.1, =1.89.2, =20.1.3, =20.1.3, =0.1.0, =0.0.4, =0.2.9, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.28.0 and more Source cves: CVE-2026-39365 Source advisory: SNYK:JS-VITE-15922213...

@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1045 more potentially affected by CVE-2026-39365 via vite (>=8.0.0 <=8.0.3)

vite NPM version =8.0.0, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 - @aero-js/cli =0.4.0 and more Source cves: CVE-2026-39365 Source advisory: OSV:GHSA-4W7W-66W2-5VF9...

Directory Traversal

Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal via the handling of .map files in the dev server when resolving file paths. An attacker can access sensitive files outside the project root by injecting ../ segments in...

@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +226 more potentially affected by CVE-2026-39365 via vite (>=7.0.0 <=7.3.1)

vite NPM version =7.0.0, =1.89.2, =20.1.0, =20.1.0, =0.1.0, =0.0.4, =0.2.9, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.28.0 and more Source cves: CVE-2026-39365 Source advisory: OSV:GHSA-4W7W-66W2-5VF9...

@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1022 more potentially affected by CVE-2026-39365 via vite (>=8.0.1 <=8.0.3)

vite NPM version =8.0.1, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 - @aero-js/cli =0.4.0 and more Source cves: CVE-2026-39365 Source advisory: SNYK:JS-VITE-15922213...

@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1045 more potentially affected by CVE-2026-39364 via vite (>=8.0.0 <=8.0.3)

vite NPM version =8.0.0, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 - @aero-js/cli =0.4.0 and more Source cves: CVE-2026-39364 Source advisory: SNYK:JS-VITE-15922245...

Incorrect Behavior Order: Validate Before Canonicalize

Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through the server.fs.deny component. An attacker can access sensitive files by appending specific query parameters such as ?raw,...

@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1045 more potentially affected by CVE-2026-39364 via vite (>=8.0.0 <=8.0.3)

vite NPM version =8.0.0, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 - @aero-js/cli =0.4.0 and more Source cves: CVE-2026-39364 Source advisory: OSV:GHSA-V2WJ-Q39Q-566R...

@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +186 more potentially affected by CVE-2026-39364 via vite (>=7.1.0 <=7.3.1)

vite NPM version =7.1.0, =1.89.2, =20.2.0, =20.2.0, =0.1.0, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.28.0 and more Source cves: CVE-2026-39364 Source advisory: OSV:GHSA-V2WJ-Q39Q-566R...

@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +186 more potentially affected by CVE-2026-39364 via vite (>=7.1.0 <=7.3.1)

vite NPM version =7.1.0, =1.89.2, =20.2.0, =20.2.0, =0.1.0, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.28.0 and more Source cves: CVE-2026-39364 Source advisory: SNYK:JS-VITE-15922245...

@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1045 more potentially affected by CVE-2026-39363 via vite (>=8.0.0 <=8.0.3)

vite NPM version =8.0.0, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 - @aero-js/cli =0.4.0 and more Source cves: CVE-2026-39363 Source advisory: SNYK:JS-VITE-15922242...

@1771technologies/oneplay (>=0.0.1 <=0.0.6), @aklesky/vite-config (>=1.0.0 <=1.0.1) +192 more potentially affected by CVE-2026-39363 via vite (>=6.0.0 <=6.4.1)

vite NPM version =6.0.0, =0.0.1, =1.0.0, =0.2.0, =4.25.19-patch.2, =19.1.0, =19.1.0, =0.55.0, =0.21.2-4.1, =0.4.2, =0.4.11 and more Source cves: CVE-2026-39363 Source advisory: OSV:GHSA-P9FF-H696-F583...

@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +226 more potentially affected by CVE-2026-39363 via vite (>=7.0.0 <=7.3.1)

vite NPM version =7.0.0, =1.89.2, =20.1.0, =20.1.0, =0.1.0, =0.0.4, =0.2.9, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.28.0 and more Source cves: CVE-2026-39363 Source advisory: SNYK:JS-VITE-15922242...

@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1045 more potentially affected by CVE-2026-39363 via vite (>=8.0.0 <=8.0.3)

vite NPM version =8.0.0, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 - @aero-js/cli =0.4.0 and more Source cves: CVE-2026-39363 Source advisory: OSV:GHSA-P9FF-H696-F583...