4 matches found
CVE-2026-47428
Vitest browser mode is affected by an XSS in which the otelCarrier query parameter is inserted directly into an inline script. Affected versions are 4.0.17 through 4.1.6 and 5.0.0-beta.3; this can allow an attacker to craft a browser-runner URL to execute arbitrary JavaScript in the Vitest server...
Vitest browser mode serves unsanitized otelCarrier query parameter as inline script
Summary Vitest browser mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest...
GHSA-2H32-95RG-CPPP Vitest browser mode serves unsanitized otelCarrier query parameter as inline script
Summary Vitest browser mode served /vitesttest/ with the otelCarrier query parameter inserted directly into an inline module script. Because this value was treated as JavaScript source rather than data, an attacker could craft a browser-runner URL that executes arbitrary JavaScript in the Vitest...
PT-2026-45491
Name of the Vulnerable Software and Affected Versions Vitest versions 4.0.17 through 4.1.5 Vitest versions 5.0.0-beta.0 through 5.0.0-beta.2 Description In browser mode, the software serves the '/ vitest test /' endpoint where the otelCarrier query parameter is inserted directly into an inline...