CVE-2026-41211
Published: 23 April 2026
Summary
CVE-2026-41211 is a critical-severity Path Traversal (CWE-22) vulnerability in Voidzero Vite\+. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the path traversal flaw in Vite+ by upgrading to version 0.1.17 or later, directly eliminating the vulnerability.
Mandates validation of the untrusted version string at system interfaces to block path traversal sequences before filesystem path construction.
Restricts version inputs to safe characteristics excluding path separators and traversal sequences like '../', preventing directory escape.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables remote unauthenticated exploitation of the exposed toolchain (T1190) and facilitates supply chain compromise via arbitrary file writes/deletes outside the cache directory (T1195).
NVD Description
Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape…
more
the `VP_HOME/package_manager/<pm>/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch.
Deeper analysisAI
CVE-2026-41211 is a path traversal vulnerability (CWE-22) in Vite+, a unified toolchain and entry point for web development. In versions prior to 0.1.17, the `downloadPackageManager()` function accepts an untrusted `version` string and incorporates it directly into filesystem paths without sanitization. This allows attackers to include `../` path traversal sequences or absolute paths, enabling escape from the intended `VP_HOME/package_manager/<pm>/` cache root.
The vulnerability has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no privileges or user interaction required, and scope change. Remote unauthenticated attackers who can invoke `downloadPackageManager()`—such as through malicious inputs in web development workflows—can exploit it to delete, replace, or populate arbitrary directories outside the cache root, potentially leading to filesystem disruption, persistence, or supply chain compromise.
Version 0.1.17 of Vite+ patches the issue by addressing the unsafe path handling. Security practitioners should upgrade to this version or later, as detailed in the GitHub Security Advisory at https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2.
Details
- CWE(s)