Lucene search
K

13 matches found

Cvelist
Cvelist
added yesterday14 views

CVE-2026-47428 Vitest browser mode serves unsanitized otelCarrier query parameter as inline script

Vitest is a testing framework powered by Vite. From 4.0.17 until 4.1.6 and 5.0.0-beta.3, Vitest Browser Mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script, allowing a crafted browser-runner URL to execute arbitrary JavaScript in the Vitest...

9.6CVSS0.0005EPSS
Exploits0References7
CVE
CVE
added yesterday40 views

CVE-2026-47428

Vitest browser mode is affected by an XSS in which the otelCarrier query parameter is inserted directly into an inline script. Affected versions are 4.0.17 through 4.1.6 and 5.0.0-beta.3; this can allow an attacker to craft a browser-runner URL to execute arbitrary JavaScript in the Vitest server...

9.6CVSS6.3AI score0.0005EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/06/01 2:12 p.m.45 views

Vitest browser mode serves unsanitized otelCarrier query parameter as inline script

Summary Vitest browser mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest...

9.6CVSS6.1AI score0.0005EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/01 2:12 p.m.32 views

GHSA-2H32-95RG-CPPP Vitest browser mode serves unsanitized otelCarrier query parameter as inline script

Summary Vitest browser mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest...

9.6CVSS6.1AI score0.0005EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/01 2:12 p.m.9 views

Cross-site Scripting (XSS)

Overview @vitest/browser is a Browser running for Vitest Affected versions of this package are vulnerable to Cross-site Scripting XSS via the otelCarrier query parameter being directly inserted into an inline script without sanitization. An attacker can execute arbitrary JavaScript in the context...

9.6CVSS5.8AI score0.0005EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/06/01 2:12 p.m.7 views

@vitest/browser-playwright (>=5.0.0-beta.1 <=5.0.0-beta.2), @vitest/browser-preview (>=5.0.0-beta.1 <=5.0.0-beta.2) +1 more potentially affected by CVE-2026-47428 via @vitest/browser (>=5.0.0-beta.1 <=5.0.0-beta.2)

@vitest/browser NPM version =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.2 Source cves: CVE-2026-47428 Source advisory: SNYK:JS-VITESTBROWSER-17120486...

5.4AI score0.0005EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/01 2:12 p.m.8 views

@aamini/config (>=0.0.1 <=0.0.13), @baic/preset-yolk-taro-miniprogram (>=2.1.0-alpha.278 <=2.1.0-alpha.281) +9 more potentially affected by CVE-2026-47428 via @vitest/browser (>=4.0.17 <=4.1.5)

@vitest/browser NPM version =4.0.17, =0.0.1, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =4.0.2, =4.0.2, =4.0.2, =0.5.0, =0.1.13, =0.2.2 Source cves: CVE-2026-47428 Source advisory: SNYK:JS-VITESTBROWSER-17120486...

5.7AI score0.0005EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/01 2:12 p.m.10 views

@vitest/browser-playwright (>=5.0.0-beta.1 <=5.0.0-beta.2), @vitest/browser-preview (>=5.0.0-beta.1 <=5.0.0-beta.2) +1 more potentially affected by CVE-2026-47428 via @vitest/browser (>=5.0.0-beta.1 <=5.0.0-beta.2)

@vitest/browser NPM version =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.2 Source cves: CVE-2026-47428 Source advisory: OSV:GHSA-2H32-95RG-CPPP...

5.4AI score0.0005EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/01 2:12 p.m.8 views

@aamini/config (>=0.0.1 <=0.0.13), @baic/preset-yolk-taro-miniprogram (>=2.1.0-alpha.278 <=2.1.0-alpha.281) +9 more potentially affected by CVE-2026-47428 via @vitest/browser (>=4.0.17 <=4.1.5)

@vitest/browser NPM version =4.0.17, =0.0.1, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =4.0.2, =4.0.2, =4.0.2, =0.5.0, =0.1.13, =0.2.2 Source cves: CVE-2026-47428 Source advisory: OSV:GHSA-2H32-95RG-CPPP...

5.7AI score0.0005EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/01 2:9 p.m.8 views

@1771technologies/oneplay (>=0.0.1 <=0.0.6), @baic/preset-yolk-taro-miniprogram (>=2.1.0-alpha.249 <=2.1.0-alpha.251) +7 more potentially affected by CVE-2026-47429 via @vitest/browser (>=3.0.5 <=3.2.4)

@vitest/browser NPM version =3.0.5, =0.0.1, =2.1.0-alpha.249, =2.1.0-alpha.249, =2.1.0-alpha.249, =2.1.0-alpha.249, =2.1.0-alpha.249, =3.8.0, =1.0.1, =0.0.2, =0.0.5 Source cves: CVE-2026-47429 Source advisory: SNYK:JS-VITESTBROWSER-17120327...

5.7AI score0.00232EPSS
Exploits0
Snyk
Snyk
added 2026/06/01 2:9 p.m.9 views

Missing Authorization

Overview @vitest/browser is a Browser running for Vitest Affected versions of this package are vulnerable to Missing Authorization through the api and browser.api request handlers in the server and UI components. An attacker can run tests, modify project files, or overwrite snapshots by connectin...

9.2CVSS6AI score0.00232EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/06/01 2:9 p.m.5 views

@baic/preset-yolk-taro-miniprogram (>=2.1.0-alpha.278 <=2.1.0-alpha.281), @baic/preset-yolk-umi-mobile (>=2.1.0-alpha.278 <=2.1.0-alpha.281) +8 more potentially affected by CVE-2026-47429 via @vitest/browser (>=4.0.0-beta.11 <=4.1.0-beta.2)

@vitest/browser NPM version =4.0.0-beta.11, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =4.0.0, =4.0.0, =4.0.0, =0.5.0, =0.1.0, =0.2.0-alpha.4 Source cves: CVE-2026-47429 Source advisory: SNYK:JS-VITESTBROWSER-17120327...

5.4AI score0.00232EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.29 views

PT-2026-45491

Name of the Vulnerable Software and Affected Versions Vitest versions 4.0.17 through 4.1.5 Vitest versions 5.0.0-beta.0 through 5.0.0-beta.2 Description In browser mode, the software serves the '/ vitest test /' endpoint where the otelCarrier query parameter is inserted directly into an inline...

9.6CVSS6.5AI score0.0005EPSS
Exploits0References14
Rows per page
Query Builder