Lucene search
K

300 matches found

Nuclei
Nuclei
added yesterday26 views

Vite server.fs.deny Bypass - Local File Inclusion

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest- script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than...

5.3CVSS6.8AI score0.35194EPSS
Exploits7References5
Nuclei
Nuclei
added yesterday14 views

Vite - Path Traversal

Vite versions prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13 contain a file exposure vulnerability caused by improper handling of request URLs with '' in the dev server running on Node or Bun, letting attackers access arbitrary files, exploit requires the server to be exposed to the network an...

6CVSS6.7AI score0.01736EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday13 views

Vite Dev Server - Information Exposure

Vite is a frontend tooling framework for JavaScript. Before versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network using...

6CVSS6.1AI score0.01077EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday50 views

Vite Dev Server - Path Traversal in Optimized Deps .map Handling

Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePathpath.resolveroot, url.slice1 and call...

6.3CVSS5.9AI score0.00914EPSS
Exploits1References3
CVE
CVE
added 2 days ago15 views

CVE-2026-14631

Vulnerability overview: CVE-2026-14631 affects webpack-dev-server up to version 5.2.5. An unauthenticated peer sending a normal HTTP request with a malformed Host header or a WebSocket upgrade to /ws with a malformed Origin header triggers an uncaught exception in the host-validation path, crashi...

5.3CVSS6AI score0.00308EPSS
Exploits0References2
CVE
CVE
added 2 days ago15 views

CVE-2026-14620

webpack-dev-server prior to 5.2.6 exposes two internal endpoints (/webpack-dev-server/open-editor and /webpack-dev-server/invalidate) that perform state-changing actions on any GET request without origin verification. This enables cross-origin interactions when a user visits any website while the...

4.7CVSS6.1AI score0.00116EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 3 days ago7 views

CVE-2026-9595

A flaw was found in webpack-dev-server. When a user configures a proxy with a broad context, such as '/', and enables WebSocket ws: true forwarding, the development server's own Hot Module Replacement HMR WebSocket can be intercepted. This interception leads to the leakage of the browser's cookie...

7.1CVSS5.7AI score0.00163EPSS
Exploits0References8
OSV
OSV
added 5 days ago5 views

ROOT-APP-NPM-CVE-2026-6402 CVE-2026-6402 in @rootio/webpack-dev-server - Patched by Root

Root has patched CVE-2026-6402 in the @rootio/webpack-dev-server package for Root:npm. Multiple fixed versions available...

6.5CVSS5.3AI score0.00216EPSS
Exploits0
OSV
OSV
added 5 days ago5 views

ROOT-APP-NPM-CVE-2025-30359 CVE-2025-30359 in @rootio/webpack-dev-server - Patched by Root

Root has patched CVE-2025-30359 in the @rootio/webpack-dev-server package for Root:npm. Multiple fixed versions available...

5.9CVSS5.8AI score0.00427EPSS
Exploits1
OSV
OSV
added 5 days ago3 views

ROOT-APP-NPM-CVE-2025-30360 CVE-2025-30360 in @rootio/webpack-dev-server - Patched by Root

Root has patched CVE-2025-30360 in the @rootio/webpack-dev-server package for Root:npm. Multiple fixed versions available...

6.5CVSS5.8AI score0.00287EPSS
Exploits1
ATTACKERKB
ATTACKERKB
added 2026/06/22 4:10 p.m.4 views

CVE-2026-53571

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as...

8.2CVSS5.9AI score0.00393EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/06/17 6:13 p.m.10 views

EUVD-2026-36729

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies...

5.3CVSS5.2AI score0.00163EPSS
Exploits0References6
OSV
OSV
added 2026/06/17 6:13 p.m.4 views

GHSA-MX8G-39Q3-5C79 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

Impact When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...

5.3CVSS5.4AI score0.00163EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/16 11:39 p.m.9 views

EUVD-2026-36421

@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent incomplete fix for GHSA-6m52-m754-pw2g...

5.9CVSS5.2AI score0.0028EPSS
Exploits1References6
OSV
OSV
added 2026/06/15 8:56 p.m.9 views

GHSA-RQ7W-G337-39QQ Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json`

Summary When running nuxt dev, Nuxt registers an unauthenticated route at /.well-known/appspecific/com.chrome.devtools.json that returns the absolute filesystem path of the project root and a per-project UUID persisted to nodemodules/.cache/nuxt/chrome-workspace.json. The route is enabled by...

2.3CVSS5.5AI score
Exploits0References4
Snyk
Snyk
added 2026/06/15 5:39 p.m.8 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview org.webjars.npm:webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via permissive user proxy...

7.1CVSS5.9AI score0.00163EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 5:39 p.m.9 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via permissive user proxy configurations that inclu...

7.1CVSS5.9AI score0.00163EPSS
Exploits0References2
OSV
OSV
added 2026/06/15 4:16 p.m.4 views

UBUNTU-CVE-2026-9595

Impact: When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...

5.3CVSS5.8AI score0.00163EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/06/15 3:0 p.m.7 views

CVE-2026-9595 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

Impact: When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...

5.3CVSS5.3AI score0.00163EPSS
Exploits0References5
CVE
CVE
added 2026/06/15 3:0 p.m.30 views

CVE-2026-9595

The CVE affects webpack-dev-server where a user-configured proxy with a broad context (e.g., /) and ws: true intercepts the dev server’s HMR WebSocket, forwarding it to the proxy target. This can leak cookies and Origin headers to the backend, bypass Host/Origin validation, and corrupt the HMR so...

5.3CVSS5.3AI score0.00163EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder