CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

106 matches found

Vite Dev Server - Path Traversal

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or...

5.3CVSS5.7AI score0.01434EPSS

Exploits1References2

Nuclei•added 19 hours ago•9 views

Vite - Path Traversal

Vite versions prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13 contain a file exposure vulnerability caused by improper handling of request URLs with '' in the dev server running on Node or Bun, letting attackers access arbitrary files, exploit requires the server to be exposed to the network an...

6CVSS6.4AI score0.03166EPSS

Exploits2References2

Nuclei•added 19 hours ago•11 views

Vite server.fs.deny Bypass - Local File Inclusion

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest- script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than...

5.3CVSS6.8AI score0.04736EPSS

Exploits7References5

Nuclei•added 19 hours ago•5 views

Vite dev server - Cross-Site Scripting

Vite's dev server, when used with appType: 'custom' and manually invoking server.transformIndexHtml using the unmodified request URL, is vulnerable to XSS via a crafted URL payload. If the HTML being served includes an inline module script ..., an attacker can inject a script via the URL,...

6.1CVSS6.5AI score0.07321EPSS

Exploits1References2

Nuclei•added yesterday•12 views

Vite Dev Server - Information Exposure

Vite dev server could allow reading files from the Vite project root by bypassing server.fs.deny with double forward-slash paths //. This affects exposed dev servers only. id: CVE-2023-34092 info: name: Vite Dev Server - Information Exposure author: ritikchaddha severity: high description: | Vite...

7.5CVSS7.2AI score0.56729EPSS

Exploits1References2

NVD•added 2026/04/07 8:16 p.m.•1 views

CVE-2026-39364

Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny e.g., .env, .crt can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are...

8.2CVSS0.05147EPSS

Exploits1References1

Cvelist•added 2026/04/07 7:13 p.m.•16 views

CVE-2026-39365 Vite has a Path Traversal in Optimized Deps `.map` Handling

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the...

6.3CVSS0.01457EPSS

Exploits1References1

ATTACKERKB•added 2026/04/07 7:13 p.m.•6 views

CVE-2026-39365

6.3CVSS5.9AI score0.01457EPSS

Exploits1References2Affected Software2

EUVD•added 2026/04/07 7:12 p.m.•4 views

EUVD-2026-19873

8.2CVSS5.9AI score0.05147EPSS

Exploits1References1

CNNVD•added 2026/04/07 12:0 a.m.•2 views

Vite 访问控制错误漏洞

Vite is a new type of front-end build tool developed by Vite itself. Versions of Vite from 6.0.0 to 6.4.2, before 7.3.2, and before 8.0.5 have a security vulnerability related to access control. This vulnerability stems from the lack of access control in WebSocket paths, which could allow attacke...

8.2CVSS5.8AI score0.05706EPSS

Exploits3References2

OSV•added 2026/04/06 6:3 p.m.•7 views

GHSA-4W7W-66W2-5VF9 Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

Summary Any files ending with .map even out side the project can be returned to the browser. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - have a sensitive content in files...

6.3CVSS5.9AI score0.01457EPSS

Exploits1References8

Snyk•added 2026/04/06 6:3 p.m.•1 views

Missing Authentication for Critical Function

Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the fetchModule method exposed through the WebSocket interface when the server is explicitly exposed to the network and WebSocket is enable...

8.2CVSS5.9AI score0.05706EPSS

Exploits3References2

vulnersOsv•added 2026/04/06 6:3 p.m.•5 views

@1771technologies/oneplay (>=0.0.1 <=0.0.6), @aicblock/cli (>=1.0.0 <=1.0.1) +197 more potentially affected by CVE-2026-39363 via vite (>=6.0.0 <=6.4.1)

vite NPM version =6.0.0, =0.0.1, =1.0.0, =1.0.0, =0.2.0, =4.25.19-patch.2, =19.1.0, =19.1.0, =0.55.0, =0.21.2-4.1, =0.21.23 and more Source cves: CVE-2026-39363 Source advisory: SNYK:JS-VITE-15922242...

8.2CVSS5.4AI score0.05706EPSS

Exploits3

Positive Technologies•added 2026/03/12 12:0 a.m.•2 views

PT-2026-25014

Name of the Vulnerable Software and Affected Versions TinaCMS versions prior to 2.1.8 Description TinaCMS is a headless content management system. Before version 2.1.8, the TinaCMS CLI development server configures Vite with server.fs.strict: false, disabling Vite’s built-in filesystem access...

6.2CVSS6AI score0.06479EPSS

Exploits1References9

Nuclei•added 2026/02/04 7:0 a.m.•7 views

Vite - Information Disclosure

Vite is a frontend tooling framework for JavaScript.In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended wi...

6CVSS7.2AI score0.00817EPSS

Exploits0References1

GithubExploit•added 2025/11/05 10:20 a.m.•180 views

ExploitReport

The Exploit Report — Portfolio React A single-page React si...

7.2AI score

Exploits0

RedhatCVE•added 2025/10/21 8:8 p.m.•2 views

CVE-2025-62522

Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended...

6.5CVSS6.3AI score0.00817EPSS

Exploits0References5

vulnersOsv•added 2025/10/20 8:42 p.m.•7 views

org.webjars.npm:vitepress (=1.0.0-draft.8) potentially affected by CVE-2025-62522 via org.webjars.npm:vite (=3.0.0-beta.9)

org.webjars.npm:vite MAVEN version =3.0.0-beta.9 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vite and may be impacted: - org.webjars.npm:vitepress =1.0.0-draft.8 Source cves: CVE-2025-62522 Source advisory:...

6CVSS6AI score0.00817EPSS

Exploits0

Snyk•added 2025/10/20 8:42 p.m.•1 views

Directory Traversal

Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal via the server.fs.deny function. An attacker can access restricted files by appending a backslash to the URL when the development server is running on Windows and is...

6.5CVSS7.8AI score0.00817EPSS

Exploits0References2

vulnersOsv•added 2025/10/20 8:42 p.m.•5 views

@angular-devkit/build-angular (>=20.1.0 <=20.2.0-next.2), @angular/build (>=20.1.0 <=20.2.0-next.2) +59 more potentially affected by CVE-2025-62522 via vite (>=7.0.0 <=7.0.6)

vite NPM version =7.0.0, =20.1.0, =20.1.0, =0.0.4, =0.2.9, =1.190.0, =0.1.0, =19.3.2, =19.3.2, =0.0.1750946288791, =0.0.2, =0.0.7, =0.4.1 and more Source cves: CVE-2025-62522 Source advisory: SNYK:JS-VITE-13644406...

6CVSS5.9AI score0.00817EPSS

Exploits0

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by