Lucene search
K

7 matches found

NVD
NVD
added 2 days ago4 views

CVE-2026-47428

Vitest is a testing framework powered by Vite. From 4.0.17 until 4.1.6 and 5.0.0-beta.3, Vitest Browser Mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script, allowing a crafted browser-runner URL to execute arbitrary JavaScript in the Vitest...

9.6CVSS0.00367EPSS
Exploits0References7
Cvelist
Cvelist
added 2 days ago31 views

CVE-2026-47428 Vitest browser mode serves unsanitized otelCarrier query parameter as inline script

Vitest is a testing framework powered by Vite. From 4.0.17 until 4.1.6 and 5.0.0-beta.3, Vitest Browser Mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script, allowing a crafted browser-runner URL to execute arbitrary JavaScript in the Vitest...

9.6CVSS0.00367EPSS
Exploits0References7
CVE
CVE
added 2 days ago41 views

CVE-2026-47428

Vitest browser mode is affected by an XSS in which the otelCarrier query parameter is inserted directly into an inline script. Affected versions are 4.0.17 through 4.1.6 and 5.0.0-beta.3; this can allow an attacker to craft a browser-runner URL to execute arbitrary JavaScript in the Vitest server...

9.6CVSS6.3AI score0.00367EPSS
Exploits0References7
OSV
OSV
added 2026/06/01 2:12 p.m.32 views

GHSA-2H32-95RG-CPPP Vitest browser mode serves unsanitized otelCarrier query parameter as inline script

Summary Vitest browser mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest...

9.6CVSS6.1AI score0.00367EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/01 2:12 p.m.12 views

Cross-site Scripting (XSS)

Overview vitest is a Next generation testing framework powered by Vite Affected versions of this package are vulnerable to Cross-site Scripting XSS via the otelCarrier query parameter being directly inserted into an inline script without sanitization. An attacker can execute arbitrary JavaScript ...

9.6CVSS5.8AI score0.00367EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/01 2:12 p.m.45 views

Vitest browser mode serves unsanitized otelCarrier query parameter as inline script

Summary Vitest browser mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest...

9.6CVSS6.1AI score0.00367EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.29 views

PT-2026-45491

Name of the Vulnerable Software and Affected Versions Vitest versions 4.0.17 through 4.1.5 Vitest versions 5.0.0-beta.0 through 5.0.0-beta.2 Description In browser mode, the software serves the '/ vitest test /' endpoint where the otelCarrier query parameter is inserted directly into an inline...

9.6CVSS6.5AI score0.00367EPSS
Exploits0References14
Rows per page
Query Builder