CVE-2026-39365
MEDIUM EXPLOITED NUCLEIVite Optimized Dependency Source Maps - Path Traversal
Title source: manualExploitation Summary
CVE-2026-39365 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Nuclei Templates (1)
Vite Dev Server - Path Traversal in Optimized Deps .map Handling
MEDIUMVERIFIEDby theamanrawat
Shodan:
http.html:"/@vite/client" port:"5173"
FOFA:
body="/@vite/client" && port="5173"
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9
Scores
CVSS v3
5.3
EPSS
0.0146
EPSS Percentile
81.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2026-05-22
CWE
CWE-22
Status
published
Products (8)
npm/vite
8.0.0 - 8.0.5npm
vitejs/vite
6.0.0 - 6.4.1
vitejs/vite
>= 6.0.0, < 6.4.2
vitejs/vite
>= 7.0.0, < 7.3.2
vitejs/vite
>= 8.0.0, < 8.0.5
vitejs/vite-plus
< 0.1.15
vitejs/vite-plus
< 0.1.16
voidzero/vite\+
< 0.1.15
Published
Apr 07, 2026
Tracked Since
Apr 08, 2026