HighCVENVD — high/critical CVEs (rolling 7d)· 7 Apr 2026

CVE-2026-39364 — Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2…

Severity: High · Kind: Vulnerability

Plain-English summary on the way

We've ingested this item but haven't summarised it yet. Read the upstream advisory using the link below in the meantime — the AI summary will appear here once the next run completes.

From the source

Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.

Vulnerability facts

CVE: CVE-2026-39364
CVSS: 7.5

Read the original advisory →← All threat intel

Was this useful?

00000Sign in to react

Plain-English summaries are AI-generated and reviewed for tone, not technical accuracy. For incident response, always rely on the original source linked above.