File Exposure Vulnerability in Vite Frontend Tooling Framework
CVE-2026-39364

8.2HIGH

Key Information:

Vendor: Vitejs
Status: Vite; Vite-plus
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39364?

A vulnerability in the Vite dev server allows unauthorized retrieval of sensitive files. Specifically, files that should be restricted via server.fs.deny, such as .env and *.crt, can be accessed through specific query parameters (e.g., ?raw, ?import&raw, ?import&url&inline) in versions 7.1.0 to 7.3.1 and 8.0.0 to 8.0.4. This issue, which poses a significant security risk, has been addressed in Vite releases 7.3.2 and 8.0.5. Ensuring that users upgrade to these versions will mitigate the risk of unauthorized file access.

Affected Version(s)

vite >= 8.0.0, < 8.0.5 < 8.0.0, 8.0.5

vite >= 7.1.0, < 7.3.2 < 7.1.0, 7.3.2

vite-plus < 0.1.16

References

https://github.com/vitejs/vite/security/advisories/GHSA-v...

x_refsource_CONFIRM

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39364 Data

JSON

Vitejs

What is CVE-2026-39364?

Affected Version(s)

References

CVSS V4

Timeline