Bug 2456181 (CVE-2026-39364)
| Summary: | CVE-2026-39364 vite: Vite: Information disclosure via query parameter manipulation on the development server | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aschwart, asoldano, aszczucz, bbaranow, bmaxwell, boliveir, bstansbe, dlofthou, drichtar, dschmidt, erezende, istudens, ivassile, iweiss, jlanda, jwong, kshier, mosmerov, mposolda, msvehla, nwallace, omaciel, pberan, pesilva, pjindal, pmackay, rmartinc, rstancel, simaishi, smaestri, smcdonal, ssilvert, stcannon, sthorger, teagle, thjenkin, ttakamiy, vdosoudi, vmuzikar, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Vite, a frontend tooling framework for JavaScript. On the Vite development server, a remote attacker could exploit this vulnerability by appending specific query parameters, such as ?raw, to requests. This allows the attacker to bypass security restrictions and retrieve sensitive files, including environment variables (.env) and certificate files (*.crt), which should otherwise be blocked. This information disclosure could lead to further compromise of the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2456267, 2456268, 2456269 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-04-07 20:02:41 UTC
|