GHSA-93M4-6634-74Q7 vite allows server.fs.deny bypass via backslash on Windows

Summary Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - running the de...

Improper Access Control

vite is vulnerable to improper access control. The vulnerability is due to files starting with the same name as those in the public directory being served while bypassing the server.fs settings, which allows an attacker to access restricted files when the Vite dev server is exposed to the network...

MAL-2025-48012 Malicious code in webpack-dev-serve-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fb201f67e4df2c2951dcebb70620a58ed8d7c1862d4697b4e14b2e95b6673d84 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

EUVD-2019-0183

Malware in sbrugna...

EUVD-2020-0573

Malware in sbrugna...

EUVD-2025-16764

Malicious code in bioql PyPI...

EUVD-2022-7708

Malicious code in bioql PyPI...

EUVD-2025-27181

Malicious code in bioql PyPI...

EUVD-2025-25476

Malicious code in bioql PyPI...

EUVD-2022-7270

Malicious code in bioql PyPI...

EUVD-2025-16767

Malicious code in bioql PyPI...

EUVD-2025-27180

Malicious code in bioql PyPI...

CVE-2025-59427 Cloudflare vite plugin exposes secrets over the built-in dev server

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as...

CVE-2025-59427

The Cloudflare Vite plugin is vulnerable when used in its default configuration, exposing all files on the local dev server (including root files like .env and .dev.vars) via the Workers runtime integration. Affected: Cloudflare Vite plugin within the Cloudflare Workers SDK. Root cause: default d...

CVE-2025-59427 Cloudflare vite plugin exposes secrets over the built-in dev server

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as...

CVE-2025-56648

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them. Mitigation Mitigation for this issue is either not available o...

@adobe/aio-cli (>=7.0.0 <=8.3.0), @adobe/aio-cli-plugin-app (>=7.0.0 <=8.6.1) +31 more potentially affected by CVE-2025-56648 via @parcel/reporter-dev-server (>=2.0.0-beta.1 <=2.16.3)

@parcel/reporter-dev-server NPM version =2.0.0-beta.1, =7.0.0, =7.0.0, =1.0.0, =5.0.0, =2.3.0, =3.3.6, =2.1.0, =1.0.0-alpha.27, =2.0.0, =2.0.0, =0.0.2, =0.0.2, =2.0.0-beta.1, =2.13.4-canary.3389, =2.13.4-canary.3403 and more Source cves: CVE-2025-56648 Source advisory: OSV:GHSA-QM9P-F9J5-W83W...

Origin Validation Error

Overview @parcel/reporter-dev-server is a Blazing fast, zero configuration web application bundler Affected versions of this package are vulnerable to Origin Validation Error via improper origin validation in the development server. An attacker can access source code by tricking a developer into...

@58860ed6ffd9e897/gold-finger-extension (=1.0.2), @ableaura/ableui (=0.1.0) +1498 more potentially affected by CVE-2025-56648 via @parcel/reporter-dev-server (>=2.0.0-beta.1 <=2.9.3)

@parcel/reporter-dev-server NPM version =2.0.0-beta.1, =5.1.9, =7.0.0, =8.3.0-pre.2022-06-22.sha-42703caf, =7.0.0, =0.1.0, =1.0.0, =5.0.0, =0.0.9, =0.0.1, =5.1.0, =5.2.5 and more Source cves: CVE-2025-56648 Source advisory: SNYK:JS-PARCELREPORTERDEVSERVER-12878606...

Directory Traversal

vite-plugin-static-copy is vulnerable to Directory Traversal. The vulnerability is due to improper access control because apps exposing the Vite dev server to the network --host or server.host config option allow attackers to retrieve arbitrary files by which an attacker can access arbitrary file...