CVE-2026-53571 is a high-severity vulnerability in Vite, a frontend tooling framework for JavaScript. The vulnerability allows the contents of sensitive files, such as .env, .env.*, and *.{crt,pem}, to be returned to the browser on Windows. This occurs because Vite's dev server does not correctly normalize NTFS ADS path forms before access checks are applied. As a result, requests like /.env::$DATA?raw ar [truncated]
CVE-2024-52011 is a command injection vulnerability in the launch-editor npm package, affecting versions prior to 2.9.0. The flaw exists in the `launchEditor` function's insufficient sanitization of the `file` argument on Windows systems. An attacker can execute arbitrary commands by supplying a crafted filename containing special characters. This vulnerability is particularly relevant for development env [truncated]
CVE-2026-39364 is a high-severity vulnerability in Vite, a frontend tooling framework for JavaScript. The vulnerability allows files that should be blocked by server.fs.deny (e.g., .env, *.crt) to be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This issue affects Vite versions from 7.1.0 to before 7.3.2 and 8.0.5. The vulnerability [truncated]