Lucene search
+L

875 matches found

nvd
nvd
added 2026/04/23 2:16 a.m.10 views

CVE-2026-41211

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

10CVSS0.00311EPSS
Exploits1References1
vulnrichment
vulnrichment
added 2026/04/23 12:56 a.m.5 views

CVE-2026-41211 `vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

8.4CVSS5.8AI score0.00311EPSS
Exploits1References1
cvelist
cvelist
added 2026/04/23 12:56 a.m.31 views

CVE-2026-41211 `vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

8.4CVSS0.00311EPSS
Exploits1References1
cve
cve
added 2026/04/23 12:56 a.m.38 views

CVE-2026-41211

Summary of CVE-2026-41211 (vite-plus/binding) : The vulnerability affects Vite+ before version 0.1.17, where downloadPackageManager() uses an untrusted version string directly in filesystem paths. An attacker can supply traversal segments (e.g., ../) or absolute paths to escape VP_HOME/package_ma...

10CVSS5.8AI score0.00311EPSS
Exploits1References1Affected Software1
osv
osv
added 2026/04/23 12:56 a.m.4 views

CVE-2026-41211 `vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

8.4CVSS5.9AI score0.00311EPSS
Exploits1References3
cnnvd
cnnvd
added 2026/04/23 12:0 a.m.12 views

Vite 路径遍历漏洞

Vite is a new type of front-end build tool developed by Vite itself. Versions of Vite prior to 0.1.17 contained a path traversal vulnerability. This vulnerability stemmed from the downloadPackageManager accepting untrusted version strings, which could lead to path traversal attacks...

10CVSS5.8AI score0.00311EPSS
Exploits1References1
ptsecurity
ptsecurity
added 2026/04/23 12:0 a.m.16 views

PT-2026-34601

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VP HOME/package manager// cache root a...

8.4CVSS5.8AI score0.00311EPSS
Exploits1References2
ossf
ossf
added 2026/04/16 1:34 a.m.11 views

Malicious code in vite-plugin-compress-plus (npm)

vite-plugin-compress-plus is a malicious npm package that when imported downloads and executes a C2 dropper from https://www.jsonkeeper.com/b/OTOAQ. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65e37bfe23d9bb451691cffd0333e0900835c8982785dde1908973adf2beaa7a...

5.7AI score
Exploits0
osv
osv
added 2026/04/16 1:34 a.m.9 views

MAL-2026-2913 Malicious code in vite-plugin-compress-plus (npm)

vite-plugin-compress-plus is a malicious npm package that when imported downloads and executes a C2 dropper from https://www.jsonkeeper.com/b/OTOAQ. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65e37bfe23d9bb451691cffd0333e0900835c8982785dde1908973adf2beaa7a...

5.7AI score
Exploits0
osv
osv
added 2026/04/16 1:2 a.m.8 views

GHSA-33R3-4WHC-44C2 Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME

Summary downloadPackageManager in vite-plus/binding accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments to escape the VPHOME/packagemanager// cache root and cause Vite+ to delete, replace, and populate directories outside the intended cac...

10CVSS5.8AI score0.00311EPSS
Exploits1References3
github
github
added 2026/04/16 1:2 a.m.9 views

Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME

Summary downloadPackageManager in vite-plus/binding accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments to escape the VPHOME/packagemanager// cache root and cause Vite+ to delete, replace, and populate directories outside the intended cac...

10CVSS5.8AI score0.00311EPSS
Exploits1References3Affected Software1
veracode
veracode
added 2026/04/15 11:5 a.m.8 views

Sensitive Information Disclosure

Vite is vulnerable to Sensitive Information Disclosure. The vulnerability is due to improper enforcement of file access restrictions in the dev server, which allows an attacker to bypass deny rules using crafted query parameters and access sensitive files...

8.2CVSS5.7AI score0.02095EPSS
Exploits1References10Affected Software1
github
github
added 2026/04/10 3:36 p.m.9 views

@vitejs/plugin-rsc has a Denial of Service with React Server Components

Impact @vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.4. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg Patches Upgrade immediately to @vitejs/[email protected] or...

5.8AI score
Exploits0References2Affected Software1
githubexploit
githubexploit
added 2026/04/08 3:31 p.m.241 views

Exploit for CVE-2026-39363

CVE-2026-39363 Vite Dev Server WebSocket Arbitrary File Read...

8.2CVSS5.9AI score0.02907EPSS
Exploits3
redhatcve
redhatcve
added 2026/04/07 10:10 p.m.6 views

CVE-2026-39363

A flaw was found in Vite, a frontend tooling framework. A remote attacker can exploit this vulnerability by connecting to the Vite development server's WebSocket without an Origin header. This allows the attacker to invoke the fetchModule function, enabling them to retrieve the contents of...

8.2CVSS6AI score0.02907EPSS
Exploits3References4
redhatcve
redhatcve
added 2026/04/07 9:52 p.m.4 views

CVE-2026-39364

A flaw was found in Vite, a frontend tooling framework for JavaScript. On the Vite development server, a remote attacker could exploit this vulnerability by appending specific query parameters, such as ?raw, to requests. This allows the attacker to bypass security restrictions and retrieve...

8.2CVSS5.8AI score0.02095EPSS
Exploits1References4
redhatcve
redhatcve
added 2026/04/07 9:52 p.m.7 views

CVE-2026-39365

A flaw was found in Vite. The development server's handling of .map requests contains a path traversal vulnerability. A remote attacker can exploit this by sending a specially crafted request with directory traversal sequences ../ to bypass security restrictions. This allows the attacker to...

6.3CVSS5.8AI score0.00914EPSS
Exploits1References4
nvd
nvd
added 2026/04/07 8:16 p.m.23 views

CVE-2026-39365

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the...

6.3CVSS0.00914EPSS
Exploits1References1
nvd
nvd
added 2026/04/07 8:16 p.m.13 views

CVE-2026-39364

Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny e.g., .env, .crt can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are...

8.2CVSS0.02095EPSS
Exploits1References5
nvd
nvd
added 2026/04/07 8:16 p.m.21 views

CVE-2026-39363

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?r...

8.2CVSS0.02907EPSS
Exploits3References7
Rows per page
Query Builder