VulnerableCode Package Details - pkg:npm/vite@5.4.21

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/vite@5.4.21

purl	pkg:npm/vite@5.4.21

Next non-vulnerable version	6.4.2
Latest non-vulnerable version	8.0.5
Risk	3.1

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-937q-cbk9-27g4 Aliases: CVE-2026-39365 GHSA-4w7w-66w2-5vf9		6.4.2 Affected by 0 other vulnerabilities. 7.0.0-beta.0 Affected by 0 other vulnerabilities. 7.3.2 Affected by 0 other vulnerabilities. 8.0.0-beta.0 Affected by 0 other vulnerabilities. 8.0.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-937q-cbk9-27g4
Aliases:
CVE-2026-39365
GHSA-4w7w-66w2-5vf9

6.4.2
Affected by 0 other vulnerabilities.

7.0.0-beta.0
Affected by 0 other vulnerabilities.

7.3.2
Affected by 0 other vulnerabilities.

8.0.0-beta.0
Affected by 0 other vulnerabilities.

8.0.5
Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-qt19-799f-1ue5	vite allows server.fs.deny bypass via backslash on Windows Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows.	CVE-2025-62522 GHSA-93m4-6634-74q7

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T10:34:19.432552+00:00	GitLab Importer	Affected by	VCID-937q-cbk9-27g4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2026-39365.yml	38.6.0
2026-05-31T10:58:49.786591+00:00	GithubOSV Importer	Fixing	VCID-qt19-799f-1ue5	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-93m4-6634-74q7/GHSA-93m4-6634-74q7.json	38.6.0
2026-05-31T01:05:40.431454+00:00	GHSA Importer	Fixing	VCID-qt19-799f-1ue5	https://github.com/advisories/GHSA-93m4-6634-74q7	38.6.0