- EPSS 0.31%
- Veröffentlicht 23.04.2026 00:56:15
- Zuletzt bearbeitet 29.04.2026 15:49:45
Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute pa...
CVE-2026-39365
- EPSS 0.91%
- Veröffentlicht 07.04.2026 19:13:50
- Zuletzt bearbeitet 30.04.2026 18:34:09
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the UR...
CVE-2026-39364
- EPSS 1.72%
- Veröffentlicht 07.04.2026 19:12:47
- Zuletzt bearbeitet 30.04.2026 18:34:57
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such ...
CVE-2026-39363
- EPSS 2.29%
- Veröffentlicht 07.04.2026 19:10:44
- Zuletzt bearbeitet 30.04.2026 18:34:19
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket e...