CVE-2026-39363

HIGH NUCLEI

Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket

Title source: cna

Description

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Exploits (2)

github NO CODE 1 stars

by Hex0rc1st · pythonpoc

https://github.com/Hex0rc1st/CVE_POC_monitor/tree/main/article/uploads/demo_1775787363/【已复现】Vite WebSocket 任意文件读取漏洞(CVE-2026-39363)安全风险通告

View Code ZIP pw:eip

nomisec WORKING POC

by Firebasky · poc

https://github.com/Firebasky/CVE-2026-39363

View Code ZIP pw:eip

Nuclei Templates (1)

Vite Dev Server - Arbitrary File Read

HIGHVERIFIEDby theamanrawat

Shodan: title:"Vite App"

FOFA: body="/@vite/client"

References (1)

[X_Refsource_Confirm] https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583

Scores

CVSS v3 7.5

EPSS 0.0233

EPSS Percentile 84.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200 CWE-306

Status published

Products (7)

npm/vite 8.0.0 - 8.0.5npm

vitejs/vite 6.0.0 - 6.4.1

vitejs/vite >= 6.0.0, < 6.4.2

vitejs/vite >= 7.0.0, < 7.3.2

vitejs/vite >= 8.0.0, < 8.0.5

vitejs/vite-plus < 0.1.15

vitejs/vite-plus < 0.1.16

Published Apr 07, 2026

Tracked Since Apr 08, 2026