| CVE-2026-39364 |
high |
7.5 |
7.5 |
|
|
|
2mo ago |
Vite: `server.fs.deny` bypassed with queries |
| CVE-2026-39363 |
high |
7.5 |
7.5 |
|
|
|
2mo ago |
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket |
| CVE-2026-39365 |
medium |
5.3 |
5.3 |
|
|
|
2mo ago |
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling |
| CVE-2025-31125 |
unknown |
— |
1.5 |
|
|
|
1y ago |
Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the n… |
| CVE-2025-30208 |
unknown |
— |
1.0 |
|
|
|
1y ago |
Vite bypasses server.fs.deny when using ?raw?? |
| CVE-2024-52011 |
unknown |
— |
— |
|
|
|
2d ago |
launch-editor vulnerable to command injection via the crafted request on Windows |
| CVE-2025-62522 |
unknown |
— |
— |
|
|
|
8mo ago |
vite allows server.fs.deny bypass via backslash on Windows |
| CVE-2025-58751 |
unknown |
— |
— |
|
|
|
9mo ago |
Vite middleware may serve files starting with the same name with the public directory |
| CVE-2025-58752 |
unknown |
— |
— |
|
|
|
9mo ago |
Vite's `server.fs` settings were not applied to HTML files |
| CVE-2025-46565 |
unknown |
— |
— |
|
|
|
1y ago |
Vite's server.fs.deny bypassed with /. for files under project root |
| CVE-2025-32395 |
unknown |
— |
— |
|
|
|
1y ago |
Vite has an `server.fs.deny` bypass with an invalid `request-target` |
| CVE-2025-31486 |
unknown |
— |
— |
|
|
|
1y ago |
Vite allows server.fs.deny to be bypassed with .svg or relative paths |
| CVE-2025-24010 |
unknown |
— |
— |
|
|
|
1y ago |
Websites were able to send any requests to the development server and read the response in vite |
| CVE-2024-45812 |
unknown |
— |
— |
|
|
|
2y ago |
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS |
| CVE-2024-45811 |
unknown |
— |
— |
|
|
|
2y ago |
Vite's `server.fs.deny` is bypassed when using `?import&raw` |
| CVE-2024-31207 |
unknown |
— |
— |
|
|
|
2y ago |
Vite's `server.fs.deny` did not deny requests for patterns with directories. |
| CVE-2024-23331 |
unknown |
— |
— |
|
|
|
2y ago |
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem |
| CVE-2023-49293 |
unknown |
— |
— |
|
|
|
3y ago |
Vite XSS vulnerability in `server.transformIndexHtml` via URL payload |
| CVE-2023-34092 |
unknown |
— |
— |
|
|
|
3y ago |
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) |
| CVE-2022-35204 |
unknown |
— |
— |
|
|
|
4y ago |
Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service |
