216.73.216.67

CVE-2026-39364

· Published 07/04/2026 20:16 · Modified 08/04/2026 21:27

Labels: CVE-2026-39364 2026-04-07CVE-2026-39364CWE-180[email protected]

Essential information

Published
07/04/2026 20:16
Modified
08/04/2026 21:27
Author
Creator
CVSS
8.2 HIGH (v3) 8.2 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
vite / vite cpe:2.3:a:vite:vite:7.1.0-7.3.2:*:*:*:*:*:*:*
vite / vite cpe:2.3:a:vite:vite:8.0.5:*:*:*:*:*:*:*

References