Home / Vulnerability Intelligence / CVE-2026-39363

CVE-2026-39363 - Vulnerability Analysis

N/a

Last Updated: April 8, 2026

Vite - Information Disclosure

Published: April 7, 2026Updated: April 8, 2026PoC Available

Overview

Vite 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5 contains an information disclosure vulnerability caused by lack of Origin header validation in WebSocket connections, letting attackers retrieve arbitrary server files as JavaScript strings via vite:invoke event, exploit requires WebSocket connection without Origin header.

Severity & Score

Severity: N/a

Impact

Attackers can read arbitrary files on the server, potentially exposing sensitive information.

Mitigation

Update to versions 6.4.2, 7.3.2, or 8.0.5 or later.

References

https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-39363
Severity: N/a
Type: undefined
Status: unconfirmed

CWE

CWE-200

CVSS Metrics

N/A