875 matches found
org.webjars.npm:vitepress (=1.0.0-draft.8) potentially affected by CVE-2026-39365 via org.webjars.npm:vite (=3.0.0-beta.9)
org.webjars.npm:vite MAVEN version =3.0.0-beta.9 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vite and may be impacted: - org.webjars.npm:vitepress =1.0.0-draft.8 Source cves: CVE-2026-39365 Source advisory:...
Directory Traversal
Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal via the handling of .map files in the dev server when resolving file paths. An attacker can access sensitive files outside the project root by injecting ../ segments in...
@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1233 more potentially affected by CVE-2026-39365 via vite (>=8.0.1 <=8.0.3)
vite NPM version =8.0.1, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 and more Source cves: CVE-2026-39365 Source advisory: SNYK:JS-VITE-15922213...
@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +189 more potentially affected by CVE-2026-39365 via vite (>=7.0.1 <=7.3.1)
vite NPM version =7.0.1, =1.89.2, =20.1.3, =0.1.0, =0.0.4, =0.2.9, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.29.0 and more Source cves: CVE-2026-39365 Source advisory: SNYK:JS-VITE-15922213...
@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +211 more potentially affected by CVE-2026-39365 via vite (>=7.0.0 <=7.3.1)
vite NPM version =7.0.0, =1.89.2, =20.1.0, =0.1.0, =0.0.4, =0.2.9, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.29.0 and more Source cves: CVE-2026-39365 Source advisory: OSV:GHSA-4W7W-66W2-5VF9...
@slidev-react/cli (>=0.4.6 <=0.4.14), @slidev-react/node (>=0.4.6 <=0.4.14) potentially affected by CVE-2026-39365 via vite-plus (=0.1.11)
vite-plus NPM version =0.1.11 is affected by a known vulnerability. The following packages have a transitive dependency on vite-plus and may be impacted: - @slidev-react/cli =0.4.6, =0.4.6, =0.4.14 Source cves: CVE-2026-39365 Source advisory: SNYK:JS-VITEPLUS-15922214...
Directory Traversal
Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal via the handling of .map files in the dev server when resolving file paths. An attacker can access sensitive files outside the project root by injecting...
GHSA-4W7W-66W2-5VF9 Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
Summary Any files ending with .map even out side the project can be returned to the browser. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - have a sensitive content in files...
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
Summary Any files ending with .map even out side the project can be returned to the browser. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - have a sensitive content in files...
@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1254 more potentially affected by CVE-2026-39364 via vite (>=8.0.0 <=8.0.3)
vite NPM version =8.0.0, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 and more Source cves: CVE-2026-39364 Source advisory: OSV:GHSA-V2WJ-Q39Q-566R...
Vite: `server.fs.deny` bypassed with queries
Summary The contents of files that are specified by server.fs.deny can be returned to the browser. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - the sensitive file exists in th...
@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1254 more potentially affected by CVE-2026-39364 via vite (>=8.0.0 <=8.0.3)
vite NPM version =8.0.0, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 and more Source cves: CVE-2026-39364 Source advisory: SNYK:JS-VITE-15922245...
@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +172 more potentially affected by CVE-2026-39364 via vite (>=7.1.0 <=7.3.1)
vite NPM version =7.1.0, =1.89.2, =20.2.0, =0.1.0, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.29.0 and more Source cves: CVE-2026-39364 Source advisory: OSV:GHSA-V2WJ-Q39Q-566R...
@slidev-react/cli (>=0.4.6 <=0.4.14), @slidev-react/node (>=0.4.6 <=0.4.14) potentially affected by CVE-2026-39364 via vite-plus (=0.1.11)
vite-plus NPM version =0.1.11 is affected by a known vulnerability. The following packages have a transitive dependency on vite-plus and may be impacted: - @slidev-react/cli =0.4.6, =0.4.6, =0.4.14 Source cves: CVE-2026-39364 Source advisory: SNYK:JS-VITEPLUS-15922246...
Incorrect Behavior Order: Validate Before Canonicalize
Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through the server.fs.deny component. An attacker can access sensitive files by appending specific query parameters such as ?raw,...
Incorrect Behavior Order: Validate Before Canonicalize
Overview vite-plus is a The Unified Toolchain for the Web Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through the server.fs.deny component. An attacker can access sensitive files by appending specific query parameters such as ?raw,...
@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +172 more potentially affected by CVE-2026-39364 via vite (>=7.1.0 <=7.3.1)
vite NPM version =7.1.0, =1.89.2, =20.2.0, =0.1.0, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.29.0 and more Source cves: CVE-2026-39364 Source advisory: SNYK:JS-VITE-15922245...
GHSA-V2WJ-Q39Q-566R Vite: `server.fs.deny` bypassed with queries
Summary The contents of files that are specified by server.fs.deny can be returned to the browser. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - the sensitive file exists in th...
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
Summary server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - WebSocket is no...
@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1254 more potentially affected by CVE-2026-39363 via vite (>=8.0.0 <=8.0.3)
vite NPM version =8.0.0, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 and more Source cves: CVE-2026-39363 Source advisory: OSV:GHSA-P9FF-H696-F583...