Bug 2456181 (CVE-2026-39364) - CVE-2026-39364 vite: Vite: Information disclosure via query parameter manipulation on the development server
Summary: CVE-2026-39364 vite: Vite: Information disclosure via query parameter manipul...
Keywords:
Status: NEW
Alias: CVE-2026-39364
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2456267 2456268 2456269
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-07 20:02 UTC by OSIDB Bzimport
Modified: 2026-04-10 13:11 UTC (History)
40 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-07 20:02:41 UTC 
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
Note You need to log in before you can comment on or make changes to this bug.