Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
References
| Link | Resource |
|---|---|
| https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583 | Exploit Vendor Advisory |
| https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583 | Exploit Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
15 Apr 2026, 20:07
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Vitejs
Vitejs vite Vitejs vite-plus |
|
| CPE | cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:* cpe:2.3:a:vitejs:vite-plus:*:*:*:*:*:node.js:*:* |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| References | () https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583 - Exploit, Vendor Advisory |
08 Apr 2026, 19:25
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583 - |
07 Apr 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-07 20:16
Updated : 2026-04-15 20:07
NVD link : CVE-2026-39363
Mitre link : CVE-2026-39363
CVE.ORG link : CVE-2026-39363
JSON object : View
Products Affected
vitejs
- vite
- vite-plus