Remote Code Execution Vulnerability in launch-editor Package by ViteJS
CVE-2026-53632

5.5MEDIUM

Key Information:

Vendor: Vitejs
Status: Launch-editor; Vite; Vite-plus
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-53632?

The launch-editor NPM package prior to version 2.14.1 presents a vulnerability that allows users to access arbitrary file paths, including Windows UNC paths. When a UNC path is opened, Windows can inadvertently initiate NTLM authentication to a remote server. This process may lead to the unintentional exposure of the user's NTLMv2 password hash to an attacker-controlled SMB server, enabling potential credential compromise through offline hash cracking methods.

Affected Version(s)

launch-editor < 2.14.1

vite >= 8.0.0, < 8.0.16 < 8.0.0, 8.0.16

vite >= 7.0.0, < 7.3.5 < 7.0.0, 7.3.5

References

https://github.com/vitejs/launch-editor/security/advisori...

x_refsource_CONFIRM

CVSS V4

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 9, 2026

CVE-2026-53632 Data

JSON

Vitejs

What is CVE-2026-53632?

Affected Version(s)

References

CVSS V4

Timeline