Cyber Resilience

CVE-2026-39363

HighPublic PoCUpdated

Published: 07 April 2026

Published
07 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0229 81.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-39363 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Vitejs Vite. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SC-7 (Boundary Protection).

Deeper analysis

Vite is a frontend tooling framework for JavaScript that is affected by an access-control bypass vulnerability in versions 6.0.0 through 6.4.1, 7.0.0 through 7.3.1, and 8.0.0 through 8.0.4. The flaw stems from insufficient enforcement of file-system restrictions such as server.fs.allow when requests arrive over the development server’s WebSocket channel rather than ordinary HTTP; specifically, the custom vite:invoke event can invoke fetchModule with file:// URIs combined with the ?raw or ?inline query parameters, returning arbitrary server-side file contents as JavaScript strings.

An unauthenticated attacker who can reach the Vite WebSocket endpoint without an Origin header can exploit this path to read sensitive files on the server, including configuration secrets or source code that would otherwise be blocked by HTTP-layer controls. The attack requires only the ability to establish the WebSocket connection and does not need authentication or user interaction.

The vulnerability is addressed in the patched releases 6.4.2, 7.3.2, and 8.0.5, as documented in the GitHub Security Advisory GHSA-p9ff-h696-f583. No material rise in exploitation probability is indicated by the reported EPSS values.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom…

more

WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability in exposed Vite dev server allows unauthenticated remote file read via WebSocket bypass of fs.allow controls, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1005 (Data from Local System) for arbitrary local file disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39364Same product: Vitejs Vite
CVE-2025-31125Same product: Vitejs Vite
CVE-2025-30208Same product: Vitejs Vite
CVE-2026-41211Same product: Voidzero Vite\+
CVE-2026-30933Shared CWE-200, CWE-306
CVE-2025-25224Shared CWE-306
CVE-2024-13562Shared CWE-200
CVE-2025-30111Shared CWE-306
CVE-2024-55272Shared CWE-200
CVE-2024-13622Shared CWE-200

Affected Assets

vitejs
vite
6.0.0 — 6.4.1 · 7.0.0 — 7.3.1 · 8.0.0 — 8.0.4
voidzero
vite\+
≤ 0.1.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-39363 by remediating the specific flaw in Vite dev server versions through patching to 6.4.2, 7.3.2, or 8.0.5.

prevent

Prevents remote exploitation (AV:N) by monitoring and controlling communications at external boundaries to block unauthorized access to the Vite dev server's WebSocket endpoint.

prevent

Protects against unauthorized disclosure of arbitrary server files via the unauthenticated WebSocket path lacking Origin header validation on publicly accessible Vite dev servers.

References