CVE-2026-41211

Source
https://cve.org/CVERecord?id=CVE-2026-41211
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41211.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41211
Aliases
Published
2026-04-23T00:56:15.568Z
Modified
2026-07-15T01:49:02.183321013Z
Severity
  • 8.4 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H CVSS Calculator
Summary
`vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`
Details

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager() accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VP_HOME/package_manager/<pm>/ cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch.

Database specific
{
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41211.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/voidzero-dev/vite-plus

Affected ranges

Type
GIT
Repo
https://github.com/voidzero-dev/vite-plus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:voidzero:vite\\+:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.1.17"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

v0.*
v0.0.0-0bfcc90f.20260209-0731
v0.0.0-3262bda4.20260210-0221
v0.0.0-40918e094cfc5866505c7c99ca8187c4793b88f6
v0.0.0-569bd560c8521f4cacc62e99477f14c99ca44a38
v0.0.0-833c515fa25cef20905a7f9affb156dfa6f151ab
v0.0.0-88c8bdd71344c6d38f5f11fb41e9070034598d79
v0.0.0-8a22e149.20260207-1117
v0.0.0-9f9a209dd123932614c8b5a568375a002e34562b
v0.0.0-dfd5c99899261c54d5b19dceaa831fab310d6171
v0.0.0-e32b32e5.20260224-0706
v0.0.0-f48af939.20260205-0533
v0.0.0-ffb4d08a8edafe855c59736c0a38ee85a2373ebb
v0.0.0-g0fd4d06d.20260225-1306
v0.0.0-g52709db6.20260226-1136
v0.0.0-g61d318d2.20260227-0939
v0.0.0-gd42e0ca6.20260225-0619
v0.0.2-g17a37daf.20260304-1136
v0.0.2-g3cb78c3c.20260305-0800
v0.0.2-gd8fe16bf.20260302-1535
v0.1.0
v0.1.1
v0.1.1-alpha.0
v0.1.10
v0.1.11
v0.1.12
v0.1.12-alpha.2
v0.1.13
v0.1.13-alpha.4
v0.1.13-alpha.5
v0.1.14
v0.1.14-alpha.0
v0.1.14-alpha.3
v0.1.15
v0.1.16
v0.1.17-alpha.5
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41211.json"