5 matches found
CVE-2026-53571
CVE-2026-53571 affects the Vite dev server. On Windows, the denial mechanism implemented by the option server.fs.deny fails to normalize NTFS ADS path forms before access checks, allowing bypasses such as /.env::$DATA?raw and access via 8.3 short-name tricks. This can enable exposure of sensitive...
CVE-2026-39365
Vite Dev Server path traversal in optimized dependencies .map handling affects versions prior to 6.4.2, 7.3.2, and 8.0.5. The server resolves file paths via normalizePath(path.resolve(root, url.slice(1))) and calls readFile without restricting ../ segments, allowing retrieval of .map files outsid...
CVE-2026-39363
CVE-2026-39363 affects Vite Dev Server. The WebSocket-based fetchModule RPC can be invoked without an Origin header, bypassing HTTP path access checks and enabling arbitrary file reads via file:// URLs combined with ?raw or ?inline. This occurs in Vite versions 6.0.0 up to before 6.4.2, 7.3.2, an...
CVE-2026-41211
Summary of CVE-2026-41211 (vite-plus/binding) : The vulnerability affects Vite+ before version 0.1.17, where downloadPackageManager() uses an untrusted version string directly in filesystem paths. An attacker can supply traversal segments (e.g., ../) or absolute paths to escape VP_HOME/package_ma...
CVE-2026-39364
CVE-2026-39364 affects the Vite dev server. Vulnerable versions include Vite 7.1.0 through 7.3.1 and 8.0.0 through 8.0.4; on those, files that should be blocked by server.fs.deny (e.g., .env, *.crt) could be retrieved via HTTP 200 when requesting with certain query params (?raw, ?import&raw, or ?...