anonhaven
Ad

CVE-2026-39364

HIGH CVSS 4.0: 8.2 EPSS 3.61%
Updated Apr 07, 2026
Vite
Parameter Value
CVSS 8.2 (HIGH)
Affected Versions before 7.3.2
Fixed In 7.3.2
Type CWE-284 (Improper Access Control), CWE-180
Vendor Vite
Public PoC No

Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-284 Improper Access Control
CWE-180

References 1

https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-39365

Vite

6.3

CVE-2026-39363

Vite

8.2