Directory Traversal Vulnerability in Vite Frontend Tooling Framework
CVE-2026-39365

6.3MEDIUM

Key Information:

Vendor: Vitejs
Status: Vite; Vite-plus
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39365?

The Vite frontend tooling framework contains a directory traversal vulnerability affecting versions 6.0.0 to just before 6.4.2, 7.3.2, and 8.0.5. This issue arises from the dev server's management of .map requests, where file paths are resolved without sufficient restrictions on the '../' segments in the URL. This oversight allows unauthorized access to .map files situated outside of the intended project root, assuming those files can be parsed as valid source map JSON. The vulnerability has been addressed in the subsequent releases including 6.4.2 and later versions. Ensure your Vite installations are updated to mitigate potential risks.

Affected Version(s)

vite >= 8.0.0, < 8.0.5 < 8.0.0, 8.0.5

vite >= 7.0.0, < 7.3.2 < 7.0.0, 7.3.2

vite >= 6.0.0, < 6.4.2 < 6.0.0, 6.4.2

References

https://github.com/vitejs/vite/security/advisories/GHSA-4...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39365 Data

JSON

Vitejs

What is CVE-2026-39365?

Affected Version(s)

References

CVSS V4

Timeline