CVE-2026-39363

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-39363
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-39363.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-39363
Aliases
Downstream
Related
Published
2026-04-07T19:10:44.916Z
Modified
2026-05-28T04:11:45.366108591Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket
Details

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39363.json",
    "cwe_ids": [
        "CWE-200",
        "CWE-306"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "0.1.16"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/vitejs/vite

Affected ranges

Type
GIT
Repo
https://github.com/vitejs/vite
Events
Introduced
814120f2ad387ca3d1e16c7dd403b04ca4b97f75
Last affected
5487f4f641f70c47ea05fd101a4319897df048b3
Introduced
b85f32275b443bf6b647572a9209f1e078b5b4dd
Last affected
95e8923f35d0252c9f6eb2d5e358c084542706f1
Introduced
b565af6f1123a62b3058253b2147574b8515e89f
Last affected
7339bdc915c297e16e6530f6ebcbb2509cb57f24
Database specific 
{
    "extracted_events": [
        {
            "introduced": "6.0.0"
        },
        {
            "last_affected": "6.4.1"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "last_affected": "7.3.1"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "last_affected": "8.0.4"
        }
    ],
    "cpe": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
    "source": "CPE_RANGE"
}

Affected versions

create-vite@6.*
create-vite@6.0.0
create-vite@6.0.1
create-vite@6.1.0
create-vite@6.1.1
create-vite@6.2.0
create-vite@6.2.1
create-vite@6.3.0
create-vite@6.3.1
create-vite@6.4.0
create-vite@6.4.1
create-vite@6.5.0
create-vite@7.*
create-vite@7.0.0
create-vite@7.0.1
create-vite@7.0.2
create-vite@7.0.3
create-vite@7.1.0
create-vite@7.1.1
create-vite@7.1.2
create-vite@7.1.3
create-vite@8.*
create-vite@8.0.0
create-vite@8.0.0-beta.0
create-vite@8.0.1
create-vite@8.0.2
create-vite@8.0.3
create-vite@8.1.0
create-vite@8.2.0
create-vite@9.*
create-vite@9.0.0
create-vite@9.0.1
create-vite@9.0.2
create-vite@9.0.3
plugin-legacy@6.*
plugin-legacy@6.0.0
plugin-legacy@6.0.1
plugin-legacy@6.0.2
plugin-legacy@6.1.0
plugin-legacy@6.1.1
plugin-legacy@7.*
plugin-legacy@7.0.0
plugin-legacy@7.0.1
plugin-legacy@7.1.0
plugin-legacy@7.2.0
plugin-legacy@7.2.1
plugin-legacy@8.*
plugin-legacy@8.0.0
plugin-legacy@8.0.1
v6.*
v6.0.0
v6.0.1
v6.0.10
v6.0.11
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1.0
v6.1.0-beta.0
v6.1.0-beta.1
v6.1.0-beta.2
v6.1.1
v6.2.0
v6.2.0-beta.0
v6.2.0-beta.1
v6.2.1
v6.2.2
v6.3.0
v6.3.0-beta.0
v6.3.0-beta.1
v6.3.0-beta.2
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.4.0
v6.4.1
v7.*
v7.0.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.1.0
v7.1.0-beta.0
v7.1.0-beta.1
v7.1.1
v7.1.10
v7.1.11
v7.1.2
v7.1.3
v7.1.4
v7.1.5
v7.1.6
v7.1.7
v7.1.8
v7.1.9
v7.2.0
v7.2.0-beta.0
v7.2.0-beta.1
v7.2.1
v7.2.2
v7.2.3
v7.2.4
v7.2.5
v7.2.6
v7.2.7
v7.3.0
v7.3.1
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.0.4

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-39363.json"

Git / github.com/voidzero-dev/vite-plus

Affected ranges

Type
GIT
Repo
https://github.com/voidzero-dev/vite-plus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
bf39b756ae038af3d34bbceeedc9ecf60afdd9a8
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.1.15"
        }
    ],
    "cpe": "cpe:2.3:a:voidzero:vite\\+:*:*:*:*:*:node.js:*:*",
    "source": "CPE_RANGE"
}

Affected versions

v0.*
v0.0.0-0bfcc90f.20260209-0731
v0.0.0-3262bda4.20260210-0221
v0.0.0-40918e094cfc5866505c7c99ca8187c4793b88f6
v0.0.0-569bd560c8521f4cacc62e99477f14c99ca44a38
v0.0.0-833c515fa25cef20905a7f9affb156dfa6f151ab
v0.0.0-88c8bdd71344c6d38f5f11fb41e9070034598d79
v0.0.0-8a22e149.20260207-1117
v0.0.0-9f9a209dd123932614c8b5a568375a002e34562b
v0.0.0-dfd5c99899261c54d5b19dceaa831fab310d6171
v0.0.0-e32b32e5.20260224-0706
v0.0.0-f48af939.20260205-0533
v0.0.0-ffb4d08a8edafe855c59736c0a38ee85a2373ebb
v0.0.0-g0fd4d06d.20260225-1306
v0.0.0-g52709db6.20260226-1136
v0.0.0-g61d318d2.20260227-0939
v0.0.0-gd42e0ca6.20260225-0619
v0.0.2-g17a37daf.20260304-1136
v0.0.2-g3cb78c3c.20260305-0800
v0.0.2-gd8fe16bf.20260302-1535
v0.1.0
v0.1.1
v0.1.1-alpha.0
v0.1.10
v0.1.11
v0.1.12
v0.1.12-alpha.2
v0.1.13
v0.1.13-alpha.4
v0.1.13-alpha.5
v0.1.14
v0.1.14-alpha.0
v0.1.14-alpha.3
v0.1.15
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-39363.json"