GHSA-c27g-q93r-2cwf

Suggest an improvement
Source
https://github.com/advisories/GHSA-c27g-q93r-2cwf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c27g-q93r-2cwf/GHSA-c27g-q93r-2cwf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c27g-q93r-2cwf
Aliases
  • CVE-2024-52011
Published
2026-06-03T18:02:48Z
Modified
2026-06-03T18:15:08.838367178Z
Severity
  • 7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
launch-editor vulnerable to command injection via the crafted request on Windows
Details

Summary

Due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters.

Impact

If the following conditions are met, an attacker can execute arbitrary commands on the computer that is using the launch-editor:

  • An attacker can place a file with the malicious filename
  • An attacker can call the launchEditor method with the file argument controlled
  • The launch-editor package is running on Windows

For example, some development server using this package satisfy these conditions, as a malicious website might be able to force the downloading of a file and the path of that file is predictable.

Patch

This issue has been fixed in the launch-editor version 2.9.0 (commit).

Database specific 
{
    "cwe_ids": [
        "CWE-77"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2026-06-01T19:16:18Z",
    "github_reviewed_at": "2026-06-03T18:02:48Z",
    "severity": "HIGH"
}
References

Affected packages

npm / launch-editor

Package

Name
launch-editor
View open source insights on deps.dev
Purl
pkg:npm/launch-editor

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c27g-q93r-2cwf/GHSA-c27g-q93r-2cwf.json"
last_known_affected_version_range 
"<= 2.8.2"

npm / vite

Package

Name
vite
View open source insights on deps.dev
Purl
pkg:npm/vite

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.4.9

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-c27g-q93r-2cwf/GHSA-c27g-q93r-2cwf.json"
last_known_affected_version_range 
"<= 5.4.8"