What is CVE-2026-39363?

CVE-2026-39363 is a high-severity vulnerability in Vitejs Vite, classified under Information Disclosure. CVSS score: 7.5/10. Published 2026-04-07.

How severe is CVE-2026-39363?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2026-39363 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Vitejs Vite

CVE-2026-39363

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom…

Vulnerability class: Information Disclosure

EPSS: 0.087 (92.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Vitejs Vite — versions >= 8.0.0, < 8.0.5, >= 7.0.0, < 7.3.2, >= 6.0.0, < 6.4.2
Vitejs Vite-plus — versions < 0.1.16
Voidzero Vite\+

Weakness classification (CWE)

Public proof-of-concept exploits

References

https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583 (x_refsource_CONFIRM, Exploit, Vendor Advisory)

Frequently asked questions

What is CVE-2026-39363?: CVE-2026-39363 is a high-severity vulnerability in Vitejs Vite, classified under Information Disclosure. CVSS score: 7.5/10. Published 2026-04-07.
How severe is CVE-2026-39363?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2026-39363 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.