Arbitrary JavaScript Execution Vulnerability in Vitest Testing Framework by Vitest
CVE-2026-47428
9.6CRITICAL
What is CVE-2026-47428?
The Vitest testing framework contains a vulnerability that could allow an attacker to execute arbitrary JavaScript code within the context of the Vitest server. This occurs due to the improper handling of the otelCarrier query parameter in inline module scripts served by Vitest Browser Mode. By manipulating browser-runner URLs, attackers can potentially retrieve the VITEST_API_TOKEN, which could facilitate unauthorized API access. This issue has been resolved in the updated versions 4.1.6 and 5.0.0-beta.3.
Affected Version(s)
vitest >= 4.0.17, < 4.1.6 < 4.0.17, 4.1.6
vitest >= 5.0.0-beta.0, < 5.0.0-beta.3 < 5.0.0-beta.0, 5.0.0-beta.3
