Vitejs Vite
19 CVEs affecting Vitejs Vite. Latest disclosed: 2026-06-01. Critical: 0, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-39364 | High | 7.5 | 2026-04-07 | Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.de… |
CVE-2026-39363 | High | 7.5 | 2026-04-07 | Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSoc… |
CVE-2024-23331 | High | 7.5 | 2024-01-19 | Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-au… |
CVE-2023-34092 | High | 7.5 | 2023-06-01 | Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using d… |
CVE-2025-24010 | Medium | 6.5 | 2025-01-20 | Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to defa… |
CVE-2024-45812 | Medium | 6.4 | 2024-09-17 | Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scrip… |
CVE-2023-49293 | Medium | 6.1 | 2023-12-04 | Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed i… |
CVE-2024-31207 | Medium | 5.9 | 2024-04-04 | Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does… |
CVE-2026-39365 | Medium | 5.3 | 2026-04-07 | Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dep… |
CVE-2025-31486 | Medium | 5.3 | 2025-04-03 | Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with s… |
CVE-2025-31125 | Medium | 5.3 | 2025-03-31 | Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposi… |
CVE-2025-30208 | Medium | 5.3 | 2025-03-24 | Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to fil… |
CVE-2024-45811 | Medium | 4.8 | 2024-09-17 | Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies acces… |
CVE-2024-52011 | | 2026-06-01 | launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` a… | |
CVE-2025-62522 | | 2025-10-20 | Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4… | |
CVE-2025-58752 | | 2025-09-08 | Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of… | |
CVE-2025-58751 | | 2025-09-08 | Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public direc… | |
CVE-2025-46565 | | 2025-05-01 | Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that… | |
CVE-2025-32395 | | 2025-04-10 | Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the… |