Skip to main content

Vite Plus

1 CVEs product

Monthly

CVE-2026-41211 npm HIGH PATCH GHSA This Week

Path traversal in Vite+ downloadPackageManager() allows local attackers to write or delete arbitrary files outside the intended cache directory. The vulnerability affects Vite+ versions before 0.1.17 and stems from inadequate input validation on the version parameter, enabling directory traversal via '../' sequences or absolute paths. Attackers with local access can manipulate filesystem operations to compromise system integrity and availability (CVSS 8.4, VI:H/VA:H). No public exploit identified at time of analysis, but exploitation requires minimal technical complexity (AC:L) and no authentication (PR:N). Vendor-released patch available in version 0.1.17.

Path Traversal Vite Plus
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Path traversal in Vite+ downloadPackageManager() allows local attackers to write or delete arbitrary files outside the intended cache directory. The vulnerability affects Vite+ versions before 0.1.17 and stems from inadequate input validation on the version parameter, enabling directory traversal via '../' sequences or absolute paths. Attackers with local access can manipulate filesystem operations to compromise system integrity and availability (CVSS 8.4, VI:H/VA:H). No public exploit identified at time of analysis, but exploitation requires minimal technical complexity (AC:L) and no authentication (PR:N). Vendor-released patch available in version 0.1.17.

Path Traversal Vite Plus
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy