CVE-2026-39365

Source
https://cve.org/CVERecord?id=CVE-2026-39365
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39365.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39365
Aliases
Downstream
Related
Published
2026-04-07T19:13:50.927Z
Modified
2026-07-15T01:49:03.137752576Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Vite has a Path Traversal in Optimized Deps `.map` Handling
Details

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "0.1.16"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39365.json"
}
References

Affected packages

Git / github.com/vitejs/vite

Affected ranges

Type
GIT
Repo
https://github.com/vitejs/vite
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.5"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.3.2"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.4.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/voidzero-dev/vite-plus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:voidzero:vite\\+:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.1.15"
        }
    ]
}

Affected versions

create-vite@6.*
create-vite@6.0.0
create-vite@6.0.1
create-vite@6.1.0
create-vite@6.1.1
create-vite@6.2.0
create-vite@6.2.1
create-vite@6.3.0
create-vite@6.3.1
create-vite@6.4.0
create-vite@6.4.1
create-vite@6.5.0
create-vite@7.*
create-vite@7.0.0
create-vite@7.0.1
create-vite@7.0.2
create-vite@7.0.3
create-vite@7.1.0
create-vite@7.1.1
create-vite@7.1.2
create-vite@7.1.3
create-vite@8.*
create-vite@8.0.0
create-vite@8.0.0-beta.0
create-vite@8.0.1
create-vite@8.0.2
create-vite@8.0.3
create-vite@8.1.0
create-vite@8.2.0
create-vite@8.3.0
create-vite@9.*
create-vite@9.0.0
create-vite@9.0.1
create-vite@9.0.2
create-vite@9.0.3
create-vite@9.0.4
plugin-legacy@6.*
plugin-legacy@6.0.0
plugin-legacy@6.0.1
plugin-legacy@6.0.2
plugin-legacy@6.1.0
plugin-legacy@6.1.1
plugin-legacy@7.*
plugin-legacy@7.0.0
plugin-legacy@7.0.1
plugin-legacy@7.1.0
plugin-legacy@7.2.0
plugin-legacy@7.2.1
plugin-legacy@8.*
plugin-legacy@8.0.0
plugin-legacy@8.0.1
v0.*
v0.0.0-0bfcc90f.20260209-0731
v0.0.0-3262bda4.20260210-0221
v0.0.0-40918e094cfc5866505c7c99ca8187c4793b88f6
v0.0.0-569bd560c8521f4cacc62e99477f14c99ca44a38
v0.0.0-833c515fa25cef20905a7f9affb156dfa6f151ab
v0.0.0-88c8bdd71344c6d38f5f11fb41e9070034598d79
v0.0.0-8a22e149.20260207-1117
v0.0.0-9f9a209dd123932614c8b5a568375a002e34562b
v0.0.0-dfd5c99899261c54d5b19dceaa831fab310d6171
v0.0.0-e32b32e5.20260224-0706
v0.0.0-f48af939.20260205-0533
v0.0.0-ffb4d08a8edafe855c59736c0a38ee85a2373ebb
v0.0.0-g0fd4d06d.20260225-1306
v0.0.0-g52709db6.20260226-1136
v0.0.0-g61d318d2.20260227-0939
v0.0.0-gd42e0ca6.20260225-0619
v0.0.2-g17a37daf.20260304-1136
v0.0.2-g3cb78c3c.20260305-0800
v0.0.2-gd8fe16bf.20260302-1535
v0.1.0
v0.1.1
v0.1.1-alpha.0
v0.1.10
v0.1.11
v0.1.12
v0.1.12-alpha.2
v0.1.13
v0.1.13-alpha.4
v0.1.13-alpha.5
v0.1.14
v0.1.14-alpha.0
v0.1.14-alpha.3
v0.1.15
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v6.*
v6.0.0
v6.0.1
v6.0.10
v6.0.11
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1.0
v6.1.0-beta.0
v6.1.0-beta.1
v6.1.0-beta.2
v6.1.1
v6.2.0
v6.2.0-beta.0
v6.2.0-beta.1
v6.2.1
v6.2.2
v6.3.0
v6.3.0-beta.0
v6.3.0-beta.1
v6.3.0-beta.2
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.4.0
v6.4.1
v7.*
v7.0.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.1.0
v7.1.0-beta.0
v7.1.0-beta.1
v7.1.1
v7.1.10
v7.1.11
v7.1.2
v7.1.3
v7.1.4
v7.1.5
v7.1.6
v7.1.7
v7.1.8
v7.1.9
v7.2.0
v7.2.0-beta.0
v7.2.0-beta.1
v7.2.1
v7.2.2
v7.2.3
v7.2.4
v7.2.5
v7.2.6
v7.2.7
v7.3.0
v7.3.1
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.0.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39365.json"