Skip to content

[HIGH] CVE-2026-39364: Package: vite Installed Version: 7.3.1 Vulnerability CVE-2026-39364 Severity:... #56

Description

@github-actions

🟠 High Security Finding

Scanner: Trivy
Rule: CVE-2026-39364
Severity: HIGH
File: pnpm-lock.yaml:1

Description

Package: vite
Installed Version: 7.3.1
Vulnerability CVE-2026-39364
Severity: HIGH
Fixed Version: 8.0.5, 7.3.2
Link: CVE-2026-39364

Remediation Guidance

Vulnerability CVE-2026-39364
Severity: HIGH
Package: vite
Fixed Version: 8.0.5, 7.3.2
Link: CVE-2026-39364
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.

References


This issue was automatically created by repo-sentinel. Assigned to Copilot for an automated fix attempt.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerability finding

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions