Command Injection Vulnerability in Launch Editor by Vite
CVE-2024-52011

7.5HIGH

Key Information:

Vendor: Vitejs
Status: Launch-editor; Vite
Vendor: CVE Published:; 1 June 2026

What is CVE-2024-52011?

The Launch Editor by Vite suffers from a command injection vulnerability due to insufficient sanitization of the file argument in the launchEditor function. This flaw allows attackers to execute arbitrary commands on Windows systems by manipulating the filename with special characters before version 2.9.0. The issue was addressed in version 2.9.0, a critical update users are urged to adopt promptly to safeguard against potential exploitation.

Affected Version(s)

launch-editor < 2.9.0

vite < 5.4.9

References

https://github.com/vitejs/launch-editor/security/advisori...

x_refsource_CONFIRM

https://github.com/vitejs/launch-editor/commit/971291e8a6...

x_refsource_MISC

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Nov 4, 2024

CVE-2024-52011 Data

JSON

Vitejs

What is CVE-2024-52011?

Affected Version(s)

References

CVSS V4

Timeline