cvedb.io
CVE-2026-39363
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-04-07T20:16:30.000 · Last modified 2026-06-30T03:19:05.220

Summary

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Affected products

vitejs — vite

Does this affect you?

Add your gear to cvedb and we'll alert you only when vitejs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.