Command Injection Vulnerability in Launch Editor by Vite
CVE-2024-52011

7.5HIGH

Key Information:

Vendor: Vitejs
Status: Launch-editor; Vite
Vendor: CVE Published:; 1 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-52011?

The Launch Editor by Vite suffers from a command injection vulnerability due to insufficient sanitization of the file argument in the launchEditor function. This flaw allows attackers to execute arbitrary commands on Windows systems by manipulating the filename with special characters before version 2.9.0. The issue was addressed in version 2.9.0, a critical update users are urged to adopt promptly to safeguard against potential exploitation.

Affected Version(s)

launch-editor < 2.9.0

vite < 5.4.9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-52011
Created by HORKimhab

References

https://github.com/vitejs/launch-editor/security/advisori...

x_refsource_CONFIRM

https://github.com/vitejs/launch-editor/commit/971291e8a6...

x_refsource_MISC

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 9, 2026
👾
Exploit known to exist
Jun 9, 2026
Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Nov 4, 2024

CVE-2024-52011 Data

JSON

Vitejs

Badges

What is CVE-2024-52011?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline