13 matches found
CVE-2026-47428 Vitest browser mode serves unsanitized otelCarrier query parameter as inline script
Vitest is a testing framework powered by Vite. From 4.0.17 until 4.1.6 and 5.0.0-beta.3, Vitest Browser Mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script, allowing a crafted browser-runner URL to execute arbitrary JavaScript in the Vitest...
CVE-2026-47428
Vitest browser mode is affected by an XSS in which the otelCarrier query parameter is inserted directly into an inline script. Affected versions are 4.0.17 through 4.1.6 and 5.0.0-beta.3; this can allow an attacker to craft a browser-runner URL to execute arbitrary JavaScript in the Vitest server...
Vitest browser mode serves unsanitized otelCarrier query parameter as inline script
Summary Vitest browser mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest...
GHSA-2H32-95RG-CPPP Vitest browser mode serves unsanitized otelCarrier query parameter as inline script
Summary Vitest browser mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest...
Cross-site Scripting (XSS)
Overview @vitest/browser is a Browser running for Vitest Affected versions of this package are vulnerable to Cross-site Scripting XSS via the otelCarrier query parameter being directly inserted into an inline script without sanitization. An attacker can execute arbitrary JavaScript in the context...
@vitest/browser-playwright (>=5.0.0-beta.1 <=5.0.0-beta.2), @vitest/browser-preview (>=5.0.0-beta.1 <=5.0.0-beta.2) +1 more potentially affected by CVE-2026-47428 via @vitest/browser (>=5.0.0-beta.1 <=5.0.0-beta.2)
@vitest/browser NPM version =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.2 Source cves: CVE-2026-47428 Source advisory: SNYK:JS-VITESTBROWSER-17120486...
@aamini/config (>=0.0.1 <=0.0.13), @baic/preset-yolk-taro-miniprogram (>=2.1.0-alpha.278 <=2.1.0-alpha.281) +9 more potentially affected by CVE-2026-47428 via @vitest/browser (>=4.0.17 <=4.1.5)
@vitest/browser NPM version =4.0.17, =0.0.1, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =4.0.2, =4.0.2, =4.0.2, =0.5.0, =0.1.13, =0.2.2 Source cves: CVE-2026-47428 Source advisory: SNYK:JS-VITESTBROWSER-17120486...
@vitest/browser-playwright (>=5.0.0-beta.1 <=5.0.0-beta.2), @vitest/browser-preview (>=5.0.0-beta.1 <=5.0.0-beta.2) +1 more potentially affected by CVE-2026-47428 via @vitest/browser (>=5.0.0-beta.1 <=5.0.0-beta.2)
@vitest/browser NPM version =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.2 Source cves: CVE-2026-47428 Source advisory: OSV:GHSA-2H32-95RG-CPPP...
@aamini/config (>=0.0.1 <=0.0.13), @baic/preset-yolk-taro-miniprogram (>=2.1.0-alpha.278 <=2.1.0-alpha.281) +9 more potentially affected by CVE-2026-47428 via @vitest/browser (>=4.0.17 <=4.1.5)
@vitest/browser NPM version =4.0.17, =0.0.1, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =4.0.2, =4.0.2, =4.0.2, =0.5.0, =0.1.13, =0.2.2 Source cves: CVE-2026-47428 Source advisory: OSV:GHSA-2H32-95RG-CPPP...
@1771technologies/oneplay (>=0.0.1 <=0.0.6), @baic/preset-yolk-taro-miniprogram (>=2.1.0-alpha.249 <=2.1.0-alpha.251) +7 more potentially affected by CVE-2026-47429 via @vitest/browser (>=3.0.5 <=3.2.4)
@vitest/browser NPM version =3.0.5, =0.0.1, =2.1.0-alpha.249, =2.1.0-alpha.249, =2.1.0-alpha.249, =2.1.0-alpha.249, =2.1.0-alpha.249, =3.8.0, =1.0.1, =0.0.2, =0.0.5 Source cves: CVE-2026-47429 Source advisory: SNYK:JS-VITESTBROWSER-17120327...
Missing Authorization
Overview @vitest/browser is a Browser running for Vitest Affected versions of this package are vulnerable to Missing Authorization through the api and browser.api request handlers in the server and UI components. An attacker can run tests, modify project files, or overwrite snapshots by connectin...
@baic/preset-yolk-taro-miniprogram (>=2.1.0-alpha.278 <=2.1.0-alpha.281), @baic/preset-yolk-umi-mobile (>=2.1.0-alpha.278 <=2.1.0-alpha.281) +8 more potentially affected by CVE-2026-47429 via @vitest/browser (>=4.0.0-beta.11 <=4.1.0-beta.2)
@vitest/browser NPM version =4.0.0-beta.11, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =4.0.0, =4.0.0, =4.0.0, =0.5.0, =0.1.0, =0.2.0-alpha.4 Source cves: CVE-2026-47429 Source advisory: SNYK:JS-VITESTBROWSER-17120327...
PT-2026-45491
Name of the Vulnerable Software and Affected Versions Vitest versions 4.0.17 through 4.1.5 Vitest versions 5.0.0-beta.0 through 5.0.0-beta.2 Description In browser mode, the software serves the '/ vitest test /' endpoint where the otelCarrier query parameter is inserted directly into an inline...