Search for packages
| purl | pkg:npm/vite@7.1.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-b2m1-kmdu-ykgt
Aliases: CVE-2025-58752 GHSA-jqfw-vq24-v9c3 |
Vite's `server.fs` settings were not applied to HTML files Any HTML files on the machine were served regardless of the `server.fs` settings. |
Affected by 3 other vulnerabilities. |
|
VCID-gefx-xng3-k3f4
Aliases: CVE-2025-58751 GHSA-g4jq-h2w9-997c |
Vite middleware may serve files starting with the same name with the public directory Files starting with the same name with the public directory were served bypassing the `server.fs` settings. |
Affected by 3 other vulnerabilities. |
|
VCID-kb9w-txmc-pbhq
Aliases: CVE-2025-62522 GHSA-93m4-6634-74q7 |
vite allows server.fs.deny bypass via backslash on Windows Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows. |
Affected by 3 other vulnerabilities. |
|
VCID-p1jn-hqj6-j7ca
Aliases: CVE-2026-39363 GHSA-p9ff-h696-f583 |
Vite: Vite: Information disclosure via WebSocket connection bypasses access control |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ths5-cgck-gkhy
Aliases: CVE-2026-39364 GHSA-v2wj-q39q-566r |
vite: Vite: Information disclosure via query parameter manipulation on the development server |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zn73-3dmx-vye4
Aliases: CVE-2026-39365 GHSA-4w7w-66w2-5vf9 |
vite: Vite: Information disclosure via path traversal in dev server's .map request handling |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||