CVE-2026-39364
EUVD-2026-1987307.04.2026, 20:16
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| vitejs | vite | 7.0.0 ≤ 𝑥 ≤ 7.3.1 |
| vitejs | vite | 8.0.0 ≤ 𝑥 ≤ 8.0.4 |
| voidzero | vite\+ | 𝑥 ≤ 0.1.15 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration