Lucene search
K

74 matches found

Nuclei
Nuclei
added yesterday140 views

Vitest Browser Mode - Local File Read

Vitest is a testing framework powered by Vite. The screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host- true, an attacker can send a request to that handler from remote to get th...

7.5CVSS7AI score0.02317EPSS
Exploits0References6
OSV
OSV
added 2026/07/01 7:15 p.m.3 views

MAL-2026-6710 Malicious code in vitest-agent (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e0165cbb3d6ed37a96889c4b016463706346e1c09413635c31ea1ceedde8774 The package's postinstall script node lib/utils/index.js spawns a detached, stdio-suppressed Node child process that runs...

5.9AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/01 7:15 p.m.6 views

Malicious code in vitest-agent (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e0165cbb3d6ed37a96889c4b016463706346e1c09413635c31ea1ceedde8774 The package's postinstall script node lib/utils/index.js spawns a detached, stdio-suppressed Node child process that runs...

5.9AI score
Exploits0References4
Veracode
Veracode
added 2026/06/17 10:34 a.m.9 views

Cross-Site Scripting (XSS)

Vitest is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the otelCarrier query parameter being inserted directly into an inline module script and treated as JavaScript source rather than data, which allows an attacker to craft a malicious browser-runner URL and execute...

5.6AI score0.0005EPSS
Exploits0References4Affected Software2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/16 3:2 a.m.16 views

Malicious code in vitest-pro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39810890a1ffc946b3da439738fb619eab1613a775a308d6f248b80b38ce5603 Package vitest-pro is a namespace-abuse lure: its name suggests a vitest extension, but its source tree, README, and main entry lib/nodemailer.js are...

5.3AI score
Exploits0References2
OSV
OSV
added 2026/06/16 3:2 a.m.9 views

MAL-2026-5862 Malicious code in vitest-pro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39810890a1ffc946b3da439738fb619eab1613a775a308d6f248b80b38ce5603 Package vitest-pro is a namespace-abuse lure: its name suggests a vitest extension, but its source tree, README, and main entry lib/nodemailer.js are...

5.3AI score
Exploits0References2
OSV
OSV
added 2026/06/15 8:5 p.m.20 views

GHSA-G8MR-85JM-7XHM Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE

Summary Vitest Browser Mode exposes a cdp API that forwards raw Chrome DevTools Protocol CDP methods over the Vitest browser WebSocket RPC. CDP is not gated by browser.api.allowWrite, browser.api.allowExec, api.allowWrite, or api.allowExec. As a result, disabling Browser Mode write and exec...

9.8CVSS5.8AI score0.00089EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 8:5 p.m.7 views

Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE

Summary Vitest Browser Mode exposes a cdp API that forwards raw Chrome DevTools Protocol CDP methods over the Vitest browser WebSocket RPC. CDP is not gated by browser.api.allowWrite, browser.api.allowExec, api.allowWrite, or api.allowExec. As a result, disabling Browser Mode write and exec...

5.8AI score0.00089EPSS
Exploits0References2Affected Software2
Snyk
Snyk
added 2026/06/02 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/01 2:12 p.m.9 views

Cross-site Scripting (XSS)

Overview @vitest/browser is a Browser running for Vitest Affected versions of this package are vulnerable to Cross-site Scripting XSS via the otelCarrier query parameter being directly inserted into an inline script without sanitization. An attacker can execute arbitrary JavaScript in the context...

9.6CVSS5.8AI score0.0005EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/06/01 2:12 p.m.7 views

@aamini/config (>=0.0.1 <=0.0.13), @baic/preset-yolk-taro-miniprogram (>=2.1.0-alpha.278 <=2.1.0-alpha.281) +9 more potentially affected by CVE-2026-47428 via @vitest/browser (>=4.0.17 <=4.1.5)

@vitest/browser NPM version =4.0.17, =0.0.1, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =4.0.2, =4.0.2, =4.0.2, =0.5.0, =0.1.13, =0.2.2 Source cves: CVE-2026-47428 Source advisory: OSV:GHSA-2H32-95RG-CPPP...

5.7AI score0.0005EPSS
Exploits0
Snyk
Snyk
added 2026/06/01 2:12 p.m.11 views

Cross-site Scripting (XSS)

Overview vitest is a Next generation testing framework powered by Vite Affected versions of this package are vulnerable to Cross-site Scripting XSS via the otelCarrier query parameter being directly inserted into an inline script without sanitization. An attacker can execute arbitrary JavaScript ...

9.6CVSS5.8AI score0.0005EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/06/01 2:12 p.m.6 views

@a1st/aix (>=0.0.3 <=0.5.1), @a1st/aix-core (>=0.2.0 <=0.5.1) +74 more potentially affected by CVE-2026-47428 via vitest (>=4.0.17 <=4.1.5)

vitest NPM version =4.0.17, =0.0.3, =0.2.0, =0.79.1, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =0.0.231, =0.0.231, =4.0.0-alpha.49, =4.0.0-alpha.66 and more Source cves: CVE-2026-47428 Source advisory: SNYK:JS-VITEST-17120487...

5.7AI score0.0005EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/01 2:12 p.m.9 views

@vitest/browser-playwright (>=5.0.0-beta.1 <=5.0.0-beta.2), @vitest/browser-preview (>=5.0.0-beta.1 <=5.0.0-beta.2) +1 more potentially affected by CVE-2026-47428 via @vitest/browser (>=5.0.0-beta.1 <=5.0.0-beta.2)

@vitest/browser NPM version =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.2 Source cves: CVE-2026-47428 Source advisory: OSV:GHSA-2H32-95RG-CPPP...

5.4AI score0.0005EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/01 2:12 p.m.8 views

@aamini/config (>=0.0.1 <=0.0.13), @baic/preset-yolk-taro-miniprogram (>=2.1.0-alpha.278 <=2.1.0-alpha.281) +9 more potentially affected by CVE-2026-47428 via @vitest/browser (>=4.0.17 <=4.1.5)

@vitest/browser NPM version =4.0.17, =0.0.1, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =4.0.2, =4.0.2, =4.0.2, =0.5.0, =0.1.13, =0.2.2 Source cves: CVE-2026-47428 Source advisory: SNYK:JS-VITESTBROWSER-17120486...

5.7AI score0.0005EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/01 2:12 p.m.7 views

@vitest/browser-playwright (>=5.0.0-beta.1 <=5.0.0-beta.2), @vitest/browser-preview (>=5.0.0-beta.1 <=5.0.0-beta.2) +1 more potentially affected by CVE-2026-47428 via @vitest/browser (>=5.0.0-beta.1 <=5.0.0-beta.2)

@vitest/browser NPM version =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.2 Source cves: CVE-2026-47428 Source advisory: SNYK:JS-VITESTBROWSER-17120486...

5.4AI score0.0005EPSS
Exploits0
OSV
OSV
added 2026/06/01 2:12 p.m.31 views

GHSA-2H32-95RG-CPPP Vitest browser mode serves unsanitized otelCarrier query parameter as inline script

Summary Vitest browser mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest...

9.6CVSS6.1AI score0.0005EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/01 2:12 p.m.43 views

Vitest browser mode serves unsanitized otelCarrier query parameter as inline script

Summary Vitest browser mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest...

6.1AI score0.0005EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/06/01 2:9 p.m.9 views

Missing Authorization

Overview @vitest/browser is a Browser running for Vitest Affected versions of this package are vulnerable to Missing Authorization through the api and browser.api request handlers in the server and UI components. An attacker can run tests, modify project files, or overwrite snapshots by connectin...

9.2CVSS6AI score0.00232EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/06/01 2:9 p.m.7 views

@0xshogun/sdk (>=1.1.44 <=1.1.52), @0xshogun/sdk-react (>=1.1.14 <=1.1.65-beta) +7 more potentially affected by CVE-2026-47429 via @vitest/ui (>=3.0.7 <=3.2.4)

@vitest/ui NPM version =3.0.7, =1.1.44, =1.1.14, =0.5.0, =1.0.388, =1.1.52, =1.1.65, =1.0.0, =0.9.9, =0.10.4 Source cves: CVE-2026-47429 Source advisory: SNYK:JS-VITESTUI-17120328...

5.7AI score0.00232EPSS
Exploits0
Rows per page
Query Builder