Search for packages
| purl | pkg:npm/vite@5.0.0-beta.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-937q-cbk9-27g4
Aliases: CVE-2026-39365 GHSA-4w7w-66w2-5vf9 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-c6xd-az5r-r3fe
Aliases: CVE-2025-58752 GHSA-jqfw-vq24-v9c3 |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-z9hv-6kpm-6fbv
Aliases: CVE-2025-58751 GHSA-g4jq-h2w9-997c |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1u9w-ucbx-dqgv |
CVE-2025-46565
GHSA-859w-5945-r5v3 |
|
| VCID-ejgf-18s2-jfcv |
CVE-2025-31125
GHSA-4r4m-qw57-chr8 |
|
| VCID-qqmk-huxn-kkcq | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability. |
CVE-2023-49293
GHSA-92r3-m2mg-pj97 |
| VCID-s6e9-86vw-kqej | Improper Access Control Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server does not discriminate; a block list bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers. |
CVE-2024-23331
GHSA-c24v-8rfc-w8vw |