VDB
CVE-2026-39365
CVE-2026-39365
PUBLISHED
CVSS 6.300000190734863 MEDIUM
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
EPSS 1.69% · 82.6th percentile
Risk Scores
CVSS v4.0
6.300000190734863
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
1.69%
82.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| vitejs | vite | *, *, >= 6.0.0, < 6.4.2 |
| vitejs | vite-plus | * |
| npm | vite | 8.0.0, 7.0.0, 0 |
Timeline
- Apr 6, 2026 CVE Published
- Apr 7, 2026 CVE Updated
- Apr 8, 2026 Security Advisory
- Apr 12, 2026 EPSS Score
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
References
- https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-39365 advisory
- https://github.com/vitejs/vite/pull/22161 url
- https://github.com/vitejs/vite/commit/79f002f2286c03c88c7b74c511c7f9fc6dc46694 url
- https://github.com/vitejs/vite package
- https://github.com/vitejs/vite/releases/tag/v6.4.2 url
- https://github.com/vitejs/vite/releases/tag/v7.3.2 url
- https://github.com/vitejs/vite/releases/tag/v8.0.5 url