vite-plus

npm4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting vite-pluspage 1 of 1

CVE-2026-41211CRITICALCVSS 10.0EG 10.0✓ Fixed in 0.1.17
2026-04-23
Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an …
CVE-2026-53571HIGHCVSS 8.2EG 8.2✓ Fixed in 0.1.24
2026-06-15
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensi…
CVE-2026-53632MEDIUMCVSS 5.5EG 5.5✓ Fixed in 0.1.24
2026-06-15
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attemp…
CVE-2026-53633CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.1.24
2026-06-15
Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE ## Summary Vitest Browser Mode exposes a `cdp()` API that forwards raw Chrome DevTools Protocol (CDP) methods over the Vitest browser WebSo…

Check whether vite-plus is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for vite-plus CVEs against the assets you own.

Start Free Scan →