@a1st/aix (>=0.0.3 <=0.5.1), @a1st/aix-core (>=0.2.0 <=0.5.1) +93 more potentially affected by CVE-2026-47428 via vitest (>=4.0.17 <=4.1.5)

vitest NPM version =4.0.17, =0.0.3, =0.2.0, =0.79.1, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =0.0.231, =0.0.231, =4.0.0-alpha.49, =4.0.0-alpha.66 and more Source cves: CVE-2026-47428 Source advisory: SNYK:JS-VITEST-17120487...

@0xshogun/sdk (>=1.0.3 <=1.1.6), @1771technologies/oneplay (>=0.0.1 <=0.0.6) +912 more potentially affected by CVE-2026-47429 via vitest (>=3.0.2 <=3.2.4)

vitest NPM version =3.0.2, =1.0.3, =0.0.1, =0.2.4, =0.8.0, =0.12.0, =3.0.0, =0.14.0, =5.8.5, =4.10.0, =1.0.0, =1.1.0 and more Source cves: CVE-2026-47429 Source advisory: SNYK:JS-VITEST-17120326...

@astralis-os/vitest (=2.4.1), @aws/nx-plugin (>=0.79.1 <=0.84.2) +76 more potentially affected by CVE-2026-47429 via vitest (>=4.0.0-beta.11 <=4.0.9)

vitest NPM version =4.0.0-beta.11, =0.79.1, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =4.0.0-alpha.31, =1.2.3-preview-a960555.0, =7.2.0, =11.0.33, =21.0.0-alpha.33, =23.0.0-alpha.1 - @forsakringskassan/vitest-config =1.1.0 and more Source cves:...

@0xkamal7/sui-agent (>=1.1.2 <=1.1.5), @0xshogun/sdk (>=1.0.3 <=1.1.6) +2759 more potentially affected by CVE-2026-47429 via vitest (>=0.0.141 <=3.2.4)

vitest NPM version =0.0.141, =1.1.2, =1.0.3, =0.0.1, =0.2.4, =1.0.0, =0.0.1, =1.0.7, =0.1.0, =0.8.0, =4.9.1, =1.0.2, =0.0.14, =0.1.0, =1.0.1 and more Source cves: CVE-2026-47429 Source advisory: OSV:GHSA-5XRQ-8626-4RWP...

EUVD-2025-0224

Malicious code in bioql PyPI...

Remote Code Execution (RCE)

Vitest is vulnerable to Remote Code Execution RCE. The vulnerability is due to the WebSocket server not validating the Origin header and lacking an authorization mechanism, allowing an attacker to inject and execute arbitrary code via the saveTestFile and rerun APIs...

CVE-2025-24963 Browser mode serves arbitrary files in vitest

Vitest is a testing framework powered by Vite. The screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get th...

CVE-2025-24963

CVE-2025-24963 concerns Vitest browser-mode HTTP server. The vulnerability arises from the __screenshot-error handler, which can respond with arbitrary files from the host filesystem when the browser-mode server is exposed to the network (e.g., via browser.api.host: true). Under these conditions,...

CVE-2025-24963 Browser mode serves arbitrary files in vitest

Vitest is a testing framework powered by Vite. The screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get th...

modern-web-swiss-army-knife (>=2.7.0 <=2.7.1), nuxt-ignis (>=0.1.7 <=0.1.9) +1 more potentially affected by CVE-2025-24964 via vitest (>=3.0.2 <=3.0.4)

vitest NPM version =3.0.2, =2.7.0, =0.1.7, =0.0.1, =0.0.2 Source cves: CVE-2025-24964 Source advisory: OSV:GHSA-9CRC-Q9X8-HGQQ...

@accelint/vitest-config (=0.1.4), @ai16z/plugin-evm (>=0.1.5-alpha.2 <=0.1.5-alpha.5) +88 more potentially affected by CVE-2025-24964 via vitest (>=2.0.1 <=2.1.8)

vitest NPM version =2.0.1, =0.1.5-alpha.2, =0.1.5-alpha.0, =0.1.5-alpha.0, =0.1.5-alpha.0, =0.0.0, =0.0.1, =0.1.1, =1.2.1, =0.0.1, =0.1.8-alpha.1, =0.1.9 and more Source cves: CVE-2025-24964 Source advisory: OSV:GHSA-9CRC-Q9X8-HGQQ...

@armit/eslint-config-bases (>=0.1.1 <=0.1.5), @bpinternal/expresso (=0.2.4) +44 more potentially affected by CVE-2025-24964 via vitest (>=1.0.1 <=1.6.0)

vitest NPM version =1.0.1, =0.1.1, =1.2.3, =1.7.0, =1.7.0, =1.7.0, =1.0.295, =8.22.0, =0.0.0, =1.4.0, =4.7.0, =1.0.0, =1.1.5 and more Source cves: CVE-2025-24964 Source advisory: OSV:GHSA-9CRC-Q9X8-HGQQ...