Arbitrary JavaScript Execution Vulnerability in Vitest Testing Framework by Vitest
CVE-2026-47428

9.6CRITICAL

Key Information:

Vendor

Vitest-dev

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-47428?

The Vitest testing framework contains a vulnerability that could allow an attacker to execute arbitrary JavaScript code within the context of the Vitest server. This occurs due to the improper handling of the otelCarrier query parameter in inline module scripts served by Vitest Browser Mode. By manipulating browser-runner URLs, attackers can potentially retrieve the VITEST_API_TOKEN, which could facilitate unauthorized API access. This issue has been resolved in the updated versions 4.1.6 and 5.0.0-beta.3.

Affected Version(s)

vitest >= 4.0.17, < 4.1.6 < 4.0.17, 4.1.6

vitest >= 5.0.0-beta.0, < 5.0.0-beta.3 < 5.0.0-beta.0, 5.0.0-beta.3

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.