🟠 High Security Finding
Scanner: Trivy
Rule: CVE-2026-39364
Severity: HIGH
File: pnpm-lock.yaml:1
Description
Package: vite
Installed Version: 7.3.1
Vulnerability CVE-2026-39364
Severity: HIGH
Fixed Version: 8.0.5, 7.3.2
Link: CVE-2026-39364
Remediation Guidance
Vulnerability CVE-2026-39364
Severity: HIGH
Package: vite
Fixed Version: 8.0.5, 7.3.2
Link: CVE-2026-39364
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
References
This issue was automatically created by repo-sentinel. Assigned to Copilot for an automated fix attempt.
🟠 High Security Finding
Scanner: Trivy
Rule:
CVE-2026-39364Severity: HIGH
File:
pnpm-lock.yaml:1Description
Package: vite
Installed Version: 7.3.1
Vulnerability CVE-2026-39364
Severity: HIGH
Fixed Version: 8.0.5, 7.3.2
Link: CVE-2026-39364
Remediation Guidance
Vulnerability CVE-2026-39364
Severity: HIGH
Package: vite
Fixed Version: 8.0.5, 7.3.2
Link: CVE-2026-39364
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
References
This issue was automatically created by repo-sentinel. Assigned to Copilot for an automated fix attempt.