Directory Traversal Vulnerability in Vite+ by Void Zero
CVE-2026-41211

8.4HIGH

Key Information:

Vendor: Voidzero-dev
Status: Vite-plus
Vendor: CVE Published:; 23 April 2026

🔔 Create Voidzero-dev Vulnerability Alert

What is CVE-2026-41211?

Vite+ is a comprehensive toolchain for web development. A vulnerability in versions prior to 0.1.17 allows untrusted input via the downloadPackageManager() function. This function incorrectly utilizes an untrusted 'version' parameter directly in filesystem paths, potentially enabling attackers to exploit directory traversal. By injecting ../ or absolute paths, an attacker can manipulate the filesystem, leading to unauthorized access and modification of files outside the designated cache area. The issue has been addressed in version 0.1.17, making it critical to update to this version or later.

Affected Version(s)

vite-plus < 0.1.17

References

https://github.com/voidzero-dev/vite-plus/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41211 Data

JSON