Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-39364

Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.026
EPSS Ranking 85.5%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-39364
  • Vitejs » Vite-Plus » Version: Any
    cpe:2.3:a:vitejs:vite-plus:*
  • Vitejs » Vite » Version: Any
    cpe:2.3:a:vitejs:vite:*
  • Vitejs » Vite » Version: 7.0.0
    cpe:2.3:a:vitejs:vite:7.0.0
  • Vitejs » Vite » Version: 7.0.1
    cpe:2.3:a:vitejs:vite:7.0.1
  • Vitejs » Vite » Version: 7.0.2
    cpe:2.3:a:vitejs:vite:7.0.2
  • Vitejs » Vite » Version: 7.0.3
    cpe:2.3:a:vitejs:vite:7.0.3
  • Vitejs » Vite » Version: 7.0.4
    cpe:2.3:a:vitejs:vite:7.0.4
  • Vitejs » Vite » Version: 7.0.5
    cpe:2.3:a:vitejs:vite:7.0.5
  • Vitejs » Vite » Version: 7.0.6
    cpe:2.3:a:vitejs:vite:7.0.6
  • Vitejs » Vite » Version: 7.0.7
    cpe:2.3:a:vitejs:vite:7.0.7
  • Vitejs » Vite » Version: 7.1.0
    cpe:2.3:a:vitejs:vite:7.1.0
  • Vitejs » Vite » Version: 7.1.1
    cpe:2.3:a:vitejs:vite:7.1.1
  • Vitejs » Vite » Version: 7.1.2
    cpe:2.3:a:vitejs:vite:7.1.2
  • Vitejs » Vite » Version: 7.1.3
    cpe:2.3:a:vitejs:vite:7.1.3
  • Vitejs » Vite » Version: 7.1.4
    cpe:2.3:a:vitejs:vite:7.1.4
  • Vitejs » Vite » Version: 7.1.5
    cpe:2.3:a:vitejs:vite:7.1.5


Products
Pricing
Contact Us

Shodan ® - All rights reserved