Vite - Arbitrary File Read

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it...

EUVD-2024-1159

Malicious code in bioql PyPI...

Building Serverless Apps with Spin and HTMX

A tutorial on building serverless applications using Fermyon Spin and htmx, demonstrating a shopping list app with a Rust back end and htmx-enhanced front end...

Vite 6.2.2 - Arbitrary File Read

Exploit Title: Vite Arbitrary File Read - CVE-2025-30208 Date: 2025-04-03 Exploit Author: Sheikh Mohammad Hasan https://github.com/4m3rr0r Vendor Homepage: https://vitejs.dev/ Software Link: https://github.com/vitejs/vite Version: = 6.2.2, = 6.1.1, = 6.0.11, = 5.4.14, = 4.5.9 Tested on: Ubuntu...

CVE-2024-31207

CVE-2024-31207 (Vite) : The vulnerability is in Vite’s server.fs.deny logic, which does not deny requests for patterns containing directories. This could allow access to unintended files or paths during development. Affected versions include 2.9.18 and 3.2.10 up to 5.2.6, 5.1.7, 5.0.13, and 4.5.3...

Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 Vaadin 14.0.0 through 14.6.1, 3.0.0 through 6.0.9 Vaadin 15.0.0 through 19.0.8 allows local user to execute arbitrary JavaScript code by opening crafted URL in browser. See CWE-172: Encoding Erro...