875 matches found
CVE-2026-41211
Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...
CVE-2026-41211 `vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`
Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...
CVE-2026-41211 `vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`
Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...
CVE-2026-41211
Summary of CVE-2026-41211 (vite-plus/binding) : The vulnerability affects Vite+ before version 0.1.17, where downloadPackageManager() uses an untrusted version string directly in filesystem paths. An attacker can supply traversal segments (e.g., ../) or absolute paths to escape VP_HOME/package_ma...
CVE-2026-41211 `vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`
Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...
Vite 路径遍历漏洞
Vite is a new type of front-end build tool developed by Vite itself. Versions of Vite prior to 0.1.17 contained a path traversal vulnerability. This vulnerability stemmed from the downloadPackageManager accepting untrusted version strings, which could lead to path traversal attacks...
PT-2026-34601
Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VP HOME/package manager// cache root a...
Malicious code in vite-plugin-compress-plus (npm)
vite-plugin-compress-plus is a malicious npm package that when imported downloads and executes a C2 dropper from https://www.jsonkeeper.com/b/OTOAQ. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65e37bfe23d9bb451691cffd0333e0900835c8982785dde1908973adf2beaa7a...
MAL-2026-2913 Malicious code in vite-plugin-compress-plus (npm)
vite-plugin-compress-plus is a malicious npm package that when imported downloads and executes a C2 dropper from https://www.jsonkeeper.com/b/OTOAQ. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65e37bfe23d9bb451691cffd0333e0900835c8982785dde1908973adf2beaa7a...
GHSA-33R3-4WHC-44C2 Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME
Summary downloadPackageManager in vite-plus/binding accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments to escape the VPHOME/packagemanager// cache root and cause Vite+ to delete, replace, and populate directories outside the intended cac...
Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME
Summary downloadPackageManager in vite-plus/binding accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments to escape the VPHOME/packagemanager// cache root and cause Vite+ to delete, replace, and populate directories outside the intended cac...
Sensitive Information Disclosure
Vite is vulnerable to Sensitive Information Disclosure. The vulnerability is due to improper enforcement of file access restrictions in the dev server, which allows an attacker to bypass deny rules using crafted query parameters and access sensitive files...
@vitejs/plugin-rsc has a Denial of Service with React Server Components
Impact @vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.4. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg Patches Upgrade immediately to @vitejs/[email protected] or...
Exploit for CVE-2026-39363
CVE-2026-39363 Vite Dev Server WebSocket Arbitrary File Read...
CVE-2026-39363
A flaw was found in Vite, a frontend tooling framework. A remote attacker can exploit this vulnerability by connecting to the Vite development server's WebSocket without an Origin header. This allows the attacker to invoke the fetchModule function, enabling them to retrieve the contents of...
CVE-2026-39364
A flaw was found in Vite, a frontend tooling framework for JavaScript. On the Vite development server, a remote attacker could exploit this vulnerability by appending specific query parameters, such as ?raw, to requests. This allows the attacker to bypass security restrictions and retrieve...
CVE-2026-39365
A flaw was found in Vite. The development server's handling of .map requests contains a path traversal vulnerability. A remote attacker can exploit this by sending a specially crafted request with directory traversal sequences ../ to bypass security restrictions. This allows the attacker to...
CVE-2026-39365
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the...
CVE-2026-39364
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny e.g., .env, .crt can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are...
CVE-2026-39363
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?r...