Search for packages
| purl | pkg:npm/vite@5.4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6cep-dhsy-qkhg
Aliases: CVE-2024-45812 GHSA-64vr-g452-qvp3 |
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS We discovered a DOM Clobbering vulnerability in Vite when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Note that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986 |
Affected by 0 other vulnerabilities. |
|
VCID-ccy3-s9ra-uub9
Aliases: CVE-2024-45811 GHSA-9cwx-2883-4wfx |
Vite's `server.fs.deny` is bypassed when using `?import&raw` The contents of arbitrary files can be returned to the browser. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-04T16:22:16.992166+00:00 | GitLab Importer | Affected by | VCID-6cep-dhsy-qkhg | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2024-45812.yml | 38.6.0 |
| 2026-06-04T16:22:16.828883+00:00 | GitLab Importer | Affected by | VCID-ccy3-s9ra-uub9 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2024-45811.yml | 38.6.0 |