Lucene search
K

50 matches found

Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.6 views

PT-2026-30926

Name of the Vulnerable Software and Affected Versions Vite versions 6.0.0 through 6.4.1, 7.3.2, and 8.0.5 Description The Vite dev server improperly handles .map requests for optimized dependencies. It resolves file paths and calls readFile without restricting '../' segments in the URL, potential...

6.3CVSS5.9AI score0.00914EPSS
Exploits1References12
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.10 views

PT-2026-30868

Name of the Vulnerable Software and Affected Versions Vite versions 7.1.0 through 7.3.1 and 8.0.0 through 8.0.4 Description Vite, a frontend tooling framework for JavaScript, allows retrieval of files blocked by server.fs.deny such as .env and .crt files with HTTP 200 responses when specific quer...

8.2CVSS5.9AI score0.02095EPSS
Exploits1References13
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.3 views

PT-2026-30768

Name of the Vulnerable Software and Affected Versions Vite versions 6.0.0 through 6.4.1, 7.3.2, and 8.0.5 Description Vite, a frontend tooling framework for JavaScript, had a flaw where the server.fs check was not enforced for the fetchModule method exposed in the Vite dev server’s WebSocket. If ...

8.2CVSS6.2AI score0.02907EPSS
Exploits3References14
ATTACKERKB
ATTACKERKB
added 2026/03/12 4:57 p.m.4 views

CVE-2026-29066

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the...

6.2CVSS5.9AI score0.01025EPSS
Exploits1References2Affected Software1
CISA KEV Catalog
CISA KEV Catalog
added 2026/01/22 12:0 a.m.19 views

Vite Vitejs Improper Access Control Vulnerability

Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected...

7.5CVSS5AI score0.58765EPSS
In wildExploits9
Snyk
Snyk
added 2025/10/20 8:42 p.m.1 views

Directory Traversal

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal via the server.fs.deny function. An attacker can access restricted files by appending a backslash to the URL when the development server is running on...

6.5CVSS9.7AI score0.01031EPSS
Exploits0References2
OSV
OSV
added 2025/10/20 7:57 p.m.5 views

CVE-2025-62522 vite allows server.fs.deny bypass via backslash on Windows

Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended...

6CVSS6.8AI score0.01031EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2025/10/20 7:54 p.m.9 views

vite allows server.fs.deny bypass via backslash on Windows

Summary Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - running the de...

6CVSS7AI score0.01031EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2025/10/20 7:54 p.m.4 views

GHSA-93M4-6634-74Q7 vite allows server.fs.deny bypass via backslash on Windows

Summary Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - running the de...

6CVSS6.8AI score0.01031EPSS
Exploits0References4
Veracode
Veracode
added 2025/10/15 7:59 a.m.6 views

Improper Access Control

vite is vulnerable to improper access control. The vulnerability is due to files starting with the same name as those in the public directory being served while bypassing the server.fs settings, which allows an attacker to access restricted files when the Vite dev server is exposed to the network...

5.3CVSS7AI score0.0118EPSS
Exploits1References8Affected Software2
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-25476

Malicious code in bioql PyPI...

6CVSS6.4AI score0.00394EPSS
Exploits0References6
Veracode
Veracode
added 2025/09/17 6:51 a.m.5 views

Directory Traversal

vite-plugin-static-copy is vulnerable to Directory Traversal. The vulnerability is due to improper access control because apps exposing the Vite dev server to the network --host or server.host config option allow attackers to retrieve arbitrary files by which an attacker can access arbitrary file...

6CVSS6.9AI score0.00394EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2025/08/21 12:0 a.m.5 views

PT-2025-34242 · Vite · Vite-Plugin-Static-Copy

Name of the Vulnerable Software and Affected Versions: vite-plugin-static-copy versions prior to 2.3.2 vite-plugin-static-copy versions prior to 3.1.2 Description: The vite-plugin-static-copy plugin for Vite allows access to files not included in the src directory through a crafted request. This...

6CVSS7.3AI score0.00394EPSS
Exploits0References10
GithubExploit
GithubExploit
added 2025/06/27 10:13 a.m.456 views

Exploit for CVE-2025-30208

🔥 CVE-2025-30208 Vite Arbitrary File Read Vulnerability Scanne...

5.3CVSS5.9AI score0.74998EPSS
Exploits28
OSV
OSV
added 2025/04/30 5:40 p.m.9 views

GHSA-859W-5945-R5V3 Vite's server.fs.deny bypassed with /. for files under project root

Summary The contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Only files that are under project root and a...

6CVSS5.9AI score0.01077EPSS
Exploits1References4
Snyk
Snyk
added 2025/04/30 5:40 p.m.4 views

Directory Traversal

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal through the server.fs.deny configuration due to improper input sanitization. An attacker can bypass server.fs.deny with /. for files under project root...

6.5CVSS7.7AI score0.01077EPSS
Exploits1References2
OSV
OSV
added 2025/04/11 2:6 p.m.3 views

GHSA-356W-63V5-8WF4 Vite has an `server.fs.deny` bypass with an invalid `request-target`

Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network using --host or server.host config option - running the Vite de...

6CVSS6.7AI score0.01736EPSS
Exploits2References4
Snyk
Snyk
added 2025/04/10 1:49 p.m.3 views

Information Exposure

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Information Exposure due to the handling of req.url which may contain unexpected characters such as . An attacker can access and retrieve the contents of arbitrary files by...

6.5CVSS6.9AI score0.01736EPSS
Exploits2References2
Github Security Blog
Github Security Blog
added 2025/04/04 2:20 p.m.64 views

Vite allows server.fs.deny to be bypassed with .svg or relative paths

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details .svg Requests ending with .svg are loaded at this line...

5.3CVSS5.1AI score0.38685EPSS
Exploits7References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/03/31 5:31 p.m.59 views

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details - base64 encoded content of non-allowed files is exposed using ?inline&import originally...

7.5CVSS6.9AI score0.58765EPSS
Exploits9References5Affected Software1
Rows per page
Query Builder