PatchSiren cyber security CVE debrief
CVE-2026-39364 Vitejs CVE debrief
CVE-2026-39364 is a high-severity vulnerability in Vite, a frontend tooling framework for JavaScript. The vulnerability allows files that should be blocked by server.fs.deny (e.g., .env, *.crt) to be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This issue affects Vite versions from 7.1.0 to before 7.3.2 and 8.0.5. The vulnerability is fixed in Vite versions 7.3.2 and 8.0.5. Users of affected versions should update to a patched version as soon as possible. The CVSS score for this vulnerability is 8.2, indicating a high severity.
- Vendor
- Vitejs
- Product
- Vite
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-07
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-07
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using Vite in their projects should be aware of this vulnerability and take immediate action to mitigate the risk. Vite users who have not updated to a patched version are at risk of exploitation. Security teams should prioritize patching affected systems and monitor for potential exploitation attempts.
Technical summary
The vulnerability in Vite arises from the way the development server handles file requests. When query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended to a request, the server may return files that should be blocked by server.fs.deny. This could potentially lead to sensitive information disclosure. The vulnerability has been assigned a CVSS score of 8.2, indicating a high severity. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
High priority should be given to patching affected Vite installations. Developers should update to Vite versions 7.3.2 or 8.0.5, or later, as soon as possible. In the meantime, users can consider implementing additional security measures, such as restricting access to the development server or monitoring for suspicious activity.
Recommended defensive actions
- Update to Vite version 7.3.2 or 8.0.5, or later.
- Restrict access to the Vite development server.
- Monitor for suspicious activity and potential exploitation attempts.
- Review and update server.fs.deny configurations to ensure sensitive files are properly blocked.
- Consider implementing additional security measures, such as Web Application Firewalls (WAFs) or intrusion detection systems.
Evidence notes
The vulnerability is documented in the official CVE record and the NVD detail page. The CVE record provides a brief description of the vulnerability, while the NVD detail page offers additional information, including the CVSS score and vector. The source item URL provides further details on the vulnerability, including references to vendor advisories and other sources.
Official resources
-
CVE-2026-39364 CVE record
CVE.org
-
CVE-2026-39364 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.