What is GHSA-c27g-q93r-2cwf?

GHSA-c27g-q93r-2cwf is a security advisory published by GitHub Security Advisories with High severity. launch-editor vulnerable to command injection via the crafted request on Windows

Which CVE IDs does GHSA-c27g-q93r-2cwf cover?

GHSA-c27g-q93r-2cwf covers the following CVE IDs: CVE-2024-52011. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-c27g-q93r-2cwf?

GHSA-c27g-q93r-2cwf affects 2 products, including: npm/launch-editor:\u003c= 2.8.2; npm/vite:\u003c= 5.4.8.

GHSA-c27g-q93r-2cwfHigh

launch-editor vulnerable to command injection via the crafted request on Windows

Vendor

GitHub Security Advisories

Published

June 3, 2026

Last Modified

June 3, 2026

🔗 CVE IDs covered (1)

CVE-2024-52011 →

📋 Description

Summary

Due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters.

Impact

If the following conditions are met, an attacker can execute arbitrary commands on the computer that is using the launch-editor:

An attacker can place a file with the malicious filename
An attacker can call the launchEditor method with the file argument controlled
The launch-editor package is running on Windows

For example, some development server using this package satisfy these conditions, as a malicious website might be able to force the downloading of a file and the path of that file is predictable.

Patch

This issue has been fixed in the launch-editor version 2.9.0 (commit).

🎯 Affected products2

npm/launch-editor:<= 2.8.2
npm/vite:<= 5.4.8