HIGH 7.5 npm
GHSA-353f-5xf4-qw67 · CVE-2023-34092 Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Modified: 8/9/2024
package
npm / vite
pkg:npm/vite
MEDIUM npm
GHSA-356w-63v5-8wf4 · CVE-2025-32395 Vite has an `server.fs.deny` bypass with an invalid `request-target`
Modified: 2/4/2026
MEDIUM 5.3 npm
GHSA-4r4m-qw57-chr8 · CVE-2025-31125 Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
Modified: 2/4/2026
MEDIUM npm
GHSA-4w7w-66w2-5vf9 · CVE-2026-39365 Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
Modified: 4/9/2026
MEDIUM 6.4 npm
GHSA-64vr-g452-qvp3 · CVE-2024-45812 Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
Modified: 2/4/2026
MEDIUM npm
GHSA-859w-5945-r5v3 · CVE-2025-46565 Vite's server.fs.deny bypassed with /. for files under project root
Modified: 2/4/2026
MEDIUM 5.9 npm
GHSA-8jhw-289h-jh2g · CVE-2024-31207 Vite's `server.fs.deny` did not deny requests for patterns with directories.
Modified: 4/5/2024
MEDIUM 6.1 npm
GHSA-92r3-m2mg-pj97 · CVE-2023-49293 Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
Modified: 12/6/2023
MEDIUM npm
GHSA-93m4-6634-74q7 · CVE-2025-62522 vite allows server.fs.deny bypass via backslash on Windows
Modified: 2/4/2026
MEDIUM 5.3 npm
GHSA-9cwx-2883-4wfx · CVE-2024-45811 Vite's `server.fs.deny` is bypassed when using `?import&raw`
Modified: 2/4/2026
HIGH 7.5 npm
GHSA-c24v-8rfc-w8vw · CVE-2024-23331 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Modified: 2/4/2026
HIGH npm
GHSA-c27g-q93r-2cwf · CVE-2024-52011 launch-editor vulnerable to command injection via the crafted request on Windows
Modified: 6/6/2026
HIGH npm
GHSA-fx2h-pf6j-xcff · CVE-2026-53571 vite: `server.fs.deny` bypass on Windows alternate paths
Modified: 6/15/2026
LOW npm
GHSA-g4jq-h2w9-997c · CVE-2025-58751 Vite middleware may serve files starting with the same name with the public directory
Modified: 2/4/2026
LOW npm
GHSA-jqfw-vq24-v9c3 · CVE-2025-58752 Vite's `server.fs` settings were not applied to HTML files
Modified: 2/4/2026
HIGH 8.6 npm
GHSA-mv48-hcvh-8jj8 · CVE-2022-35204 Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service
Modified: 9/23/2024
HIGH npm
GHSA-p9ff-h696-f583 · CVE-2026-39363 Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
Modified: 4/9/2026
HIGH npm
GHSA-v2wj-q39q-566r · CVE-2026-39364 Vite: `server.fs.deny` bypassed with queries
Modified: 4/9/2026
MEDIUM npm
GHSA-v6wh-96g9-6wx3 · CVE-2026-53632 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
Modified: 6/15/2026
MEDIUM 6.5 npm
GHSA-vg6x-rcgg-rjx6 · CVE-2025-24010 Websites were able to send any requests to the development server and read the response in vite
Modified: 2/4/2026
MEDIUM 5.3 npm
GHSA-x574-m823-4x7w · CVE-2025-30208 Vite bypasses server.fs.deny when using ?raw??
Modified: 2/4/2026
MEDIUM 5.3 npm
GHSA-xcj6-pq6g-qj4x · CVE-2025-31486 Vite allows server.fs.deny to be bypassed with .svg or relative paths
Modified: 2/4/2026