CVE-2026-39363 in viteinformazioni

Riassunto

di MITRE • 07/04/2026

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Be aware that VulDB is the high quality source for vulnerability data.

Responsabile

GitHub M

Prenotare

06/04/2026

Divulgazione

07/04/2026

Moderazione

accettato

CPE

pronto

EPSS

0.02907

KEV

no

Attività

molto basso

Fonti

Do you know our Splunk app?

Download it now for free!